From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | pgsql-committers(at)postgresql(dot)org |
Subject: | pgsql: Disallow SSL session tickets. |
Date: | 2017-08-04 15:07:31 |
Message-ID: | E1ddeCJ-0005BO-EH@gemulon.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Disallow SSL session tickets.
We don't actually support session tickets, since we do not create an SSL
session identifier. But it seems that OpenSSL will issue a session ticket
on-demand anyway, which will then fail when used. This results in
reconnection failures when using ticket-aware client-side SSL libraries
(such as the Npgsql .NET driver), as reported by Shay Rojansky.
To fix, just tell OpenSSL not to issue tickets. At some point in the
far future, we might consider enabling tickets instead. But the security
implications of that aren't entirely clear; and besides it would have
little benefit except for very short-lived database connections, which is
Something We're Bad At anyhow. It would take a lot of other work to get
to a point where that would really be an exciting thing to do.
While at it, also tell OpenSSL not to use a session cache. This doesn't
really do anything, since a backend would never populate the cache anyway,
but it might gain some micro-efficiencies and/or reduce security
exposures.
Patch by me, per discussion with Heikki Linnakangas and Shay Rojansky.
Back-patch to all supported versions.
Discussion: https://postgr.es/m/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA@mail.gmail.com
Branch
------
REL9_4_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/8d05db3d8e0c507d2e1fead4acceed73565e3ccc
Modified Files
--------------
src/backend/libpq/be-secure.c | 8 ++++++++
1 file changed, 8 insertions(+)
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2017-08-04 15:45:24 | pgsql: Apply ALTER ... SET NOT NULL recursively in ALTER ... ADD PRIMAR |
Previous Message | Peter Eisentraut | 2017-08-04 02:15:34 | pgsql: Add missing ALTER USER variants |