Re: Recent vendor SSL renegotiation patches break PostgreSQL

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Chris Campbell <chris_campbell(at)mac(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Recent vendor SSL renegotiation patches break PostgreSQL
Date: 2010-02-22 17:25:08
Message-ID: 27050.1266859508@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> 2010/2/22 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
>> Red Hat's already shipping the patch. Dunno about other vendors.

> Which patch? The one that breaks it, or the one that changes the protocol?

The one with the protocol change.

I think we already missed the window where it would have been sensible
to install a hack workaround for this. If we'd done that in November
it might have been reasonable, but by now it's too late for any hack
we install to spread much faster than fixed openssl libraries.

> One way to deal with it would be to expose the whole renegotiation
> setting as a user configuratble option. So they can set *when* we
> renegotiate, which would also let them turn it off completely.

Well, that might be a reasonable thing to do, because it's not just a
temporary kluge (that we won't know when to remove) but is adding an
arguably-useful-in-other-ways knob.

> And it's definitely not back-patchable.

Why not? We certainly wouldn't back-patch such a thing if we didn't
have a problem to deal with, but it's not like there's no precedent
for adding back-patched GUCs in response to security issues. We
did that with backslash_quote.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Hitoshi Harada 2010-02-22 17:25:11 Reason why set-value functions not allowed in GREATEST(), etc?
Previous Message Magnus Hagander 2010-02-22 17:00:33 Re: Recent vendor SSL renegotiation patches break PostgreSQL