Add configuration parameter ssl_renegotiation_limit to control

how often we do SSL session key renegotiation. Can be set to 0 to disable renegotiation completely, which is required if a broken SSL library is used (broken patches to CVE-2009-3555 a known cause) or when using a client library that can't do renegotiation.
2025-08-19 23:22:23 +03:00 · 2010-02-25 13:26:23 +00:00
parent fbdf9712af
commit 0a1ec273a0
4 changed files with 45 additions and 6 deletions
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.83.2.3 2009/12/30 03:46:01 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.83.2.4 2010/02/25 13:26:22 mha Exp $
 *
 *	  Since the server static private key ($DataDir/server.key)
 *	  will normally be stored unencrypted so that the database
@@ -120,13 +120,14 @@ static void close_SSL(Port *);
 static const char *SSLerrmessage(void);
 #endif

-#ifdef USE_SSL
 /*
 *	How much data can be sent across a secure connection
 *	(total in both directions) before we require renegotiation.
+ *	Set to 0 to disable renegotiation completely.
 */
-#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
+int ssl_renegotiation_limit;

+#ifdef USE_SSL
 static SSL_CTX *SSL_context = NULL;

 /* GUC variable controlling SSL cipher list */
@@ -338,7 +339,7 @@ secure_write(Port *port, void *ptr, size_t len)
 	{
 		int			err;

-		if (port->count > RENEGOTIATION_LIMIT)
+		if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L)
 		{
 			SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
 									   sizeof(SSL_context));
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.432.2.6 2010/01/24 21:49:39 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.432.2.7 2010/02/25 13:26:22 mha Exp $
 *
 *--------------------------------------------------------------------
 */
@@ -112,6 +112,7 @@ extern char *default_tablespace;
 extern char *temp_tablespaces;
 extern bool synchronize_seqscans;
 extern bool fullPageWrites;
+extern int	ssl_renegotiation_limit;

 #ifdef TRACE_SORT
 extern bool trace_sort;
@@ -1720,6 +1721,16 @@ static struct config_int ConfigureNamesInt[] =
 		0, 0, INT_MAX, assign_tcp_keepalives_interval, show_tcp_keepalives_interval
 	},

+	{
+		{"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
+			gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."),
+			NULL,
+			GUC_UNIT_KB,
+		},
+		&ssl_renegotiation_limit,
+		512 * 1024, 0, MAX_KILOBYTES, NULL, NULL
+	},
+
 	{
 		{"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER,
 			gettext_noop("Maximum number of TCP keepalive retransmits."),
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -76,6 +76,7 @@
 #ssl = off				# (change requires restart)
 #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers
 					# (change requires restart)
+#ssl_renegotiation_limit = 512MB	# amount of data between renegotiations
 #password_encryption = on
 #db_user_namespace = off