Add configuration parameter ssl_renegotiation_limit to control

how often we do SSL session key renegotiation. Can be set to 0 to disable renegotiation completely, which is required if a broken SSL library is used (broken patches to CVE-2009-3555 a known cause) or when using a client library that can't do renegotiation.
2025-07-28 23:42:10 +03:00 · 2010-02-25 13:26:16 +00:00
parent 0ccc5153f8
commit 413d34be4e
4 changed files with 45 additions and 6 deletions
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.541 2010/02/17 04:19:40 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.542 2010/02/25 13:26:15 mha Exp $
 *
 *--------------------------------------------------------------------
 */
@ -117,6 +117,7 @@ extern char *temp_tablespaces;
 extern bool synchronize_seqscans;
 extern bool fullPageWrites;
 extern int	vacuum_defer_cleanup_age;
+extern int	ssl_renegotiation_limit;

 int	trace_recovery_messages = LOG;

@ -1968,6 +1969,16 @@ static struct config_int ConfigureNamesInt[] =
 		0, 0, INT_MAX, assign_tcp_keepalives_interval, show_tcp_keepalives_interval
 	},

+	{
+		{"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
+			gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."),
+			NULL,
+			GUC_UNIT_KB,
+		},
+		&ssl_renegotiation_limit,
+		512 * 1024, 0, MAX_KILOBYTES, NULL, NULL
+	},
+
 	{
 		{"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER,
 			gettext_noop("Maximum number of TCP keepalive retransmits."),