Back-patch addition of ssl_renegotiation_limit into 7.4 through 8.1.

2025-08-06 18:42:54 +03:00 · 2010-02-25 23:45:29 +00:00
parent a0b3d52af1
commit 8b33d83cc5
4 changed files with 46 additions and 6 deletions
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.215.2.10 2007/04/20 02:38:46 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.215.2.11 2010/02/25 23:45:28 tgl Exp $
 -->

 <Chapter Id="runtime">
@@ -755,6 +755,32 @@ SET ENABLE_SEQSCAN TO OFF;
      </listitem>
     </varlistentry>

+     <varlistentry>
+      <term><varname>ssl_renegotiation_limit</varname> (<type>int</type>)</term>
+      <indexterm>
+       <primary><varname>ssl_renegotiation_limit</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies how much data can flow over an <acronym>SSL</> encrypted connection
+        before renegotiation of the session will take place. Renegotiation of the
+        session decreases the chance of doing cryptanalysis when large amounts of data
+        are sent, but it also carries a large performance penalty. The sum of
+        sent and received traffic is used to check the limit. If the parameter is
+        set to 0, renegotiation is disabled. The default is <literal>512MB</>.
+       </para>
+       <note>
+        <para>
+         SSL libraries from before November 2009 are insecure when using SSL
+         renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix
+         for this vulnerability, some vendors also shipped SSL libraries incapable
+         of doing renegotiation. If any of these libraries are in use on the client
+         or server, SSL renegotiation should be disabled.
+        </para>
+       </note>
+      </listitem>
+     </varlistentry>
+
     <varlistentry>
      <term><varname>password_encryption</varname> (<type>boolean</type>)</term>
      <listitem>
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.43.2.6 2009/12/09 06:37:09 mha Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.43.2.7 2010/02/25 23:45:28 tgl Exp $
 *
 *	  Since the server static private key ($DataDir/server.key)
 *	  will normally be stored unencrypted so that the database
@@ -112,14 +112,16 @@ static void close_SSL(Port *);
 static const char *SSLerrmessage(void);
 #endif

-#ifdef USE_SSL
 /*
 *	How much data can be sent across a secure connection
 *	(total in both directions) before we require renegotiation.
+ *	Set to 0 to disable renegotiation completely.
 */
-#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
+int ssl_renegotiation_limit;
+
 #define CA_PATH NULL

+#ifdef USE_SSL
 static SSL_CTX *SSL_context = NULL;
 #endif

@@ -318,7 +320,7 @@ secure_write(Port *port, void *ptr, size_t len)
 #ifdef USE_SSL
 	if (port->ssl)
 	{
-		if (port->count > RENEGOTIATION_LIMIT)
+		if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L)
 		{
 			SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
 									   sizeof(SSL_context));
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.7 2009/12/09 21:59:07 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.8 2010/02/25 23:45:28 tgl Exp $
 *
 *--------------------------------------------------------------------
 */
@@ -75,6 +75,7 @@ extern int	CheckPointTimeout;
 extern int	CommitDelay;
 extern int	CommitSiblings;
 extern char *preload_libraries_string;
+extern int	ssl_renegotiation_limit;

 #ifdef HAVE_SYSLOG
 extern char *Syslog_facility;
@@ -976,6 +977,15 @@ static struct config_int ConfigureNamesInt[] =
 		DEF_PGPORT, 1, 65535, NULL, NULL
 	},

+	{
+		{"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
+			gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."),
+			NULL
+		},
+		&ssl_renegotiation_limit,
+		512 * 1024, 0, INT_MAX / 1024, NULL, NULL
+	},
+
 	{
 		{"unix_socket_permissions", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the access permissions of the Unix-domain socket."),
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -44,6 +44,8 @@

 #authentication_timeout = 60	# 1-600, in seconds
 #ssl = false
+#ssl_renegotiation_limit = 524288	# amount of data between renegotiations
+					# in kilobytes
 #password_encryption = true
 #krb_server_keyfile = ''
 #db_user_namespace = false