Add configuration parameter ssl_renegotiation_limit to control

how often we do SSL session key renegotiation. Can be set to
0 to disable renegotiation completely, which is required if
a broken SSL library is used (broken patches to CVE-2009-3555
a known cause) or when using a client library that can't do
renegotiation.

src/backend/libpq/be-secure.c

@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.92.2.2 2009/12/30 03:45:53 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.92.2.3 2010/02/25 13:26:26 mha Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -93,13 +93,14 @@ static void close_SSL(Port *);
 static const char *SSLerrmessage(void);
 #endif
 
-#ifdef USE_SSL
 /*
  *	How much data can be sent across a secure connection
  *	(total in both directions) before we require renegotiation.
+ *	Set to 0 to disable renegotiation completely.
  */
-#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
+int ssl_renegotiation_limit;
 
+#ifdef USE_SSL
 static SSL_CTX *SSL_context = NULL;
 static bool ssl_loaded_verify_locations = false;
 
@@ -314,7 +315,7 @@ secure_write(Port *port, void *ptr, size_t len)
 	{
 		int			err;
 
-		if (port->count > RENEGOTIATION_LIMIT)
+		if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L)
 		{
 			SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
 									   sizeof(SSL_context));