diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index c669f752323..871b04a94b0 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1040,7 +1040,7 @@ include_dir 'conf.d' cryptanalysis when large amounts of traffic can be examined, but it also carries a large performance penalty. The sum of sent and received traffic is used to check the limit. If this parameter is set to 0, - renegotiation is disabled. The default is 512MB. + renegotiation is disabled. The default is 0. @@ -1052,6 +1052,14 @@ include_dir 'conf.d' disabled. + + + + Due to bugs in OpenSSL enabling ssl renegotiation, by + configuring a non-zero ssl_renegotiation_limit, is likely + to lead to problems like long-lived connections breaking. + + diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 6ad0892b937..396c68b30ef 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -2457,7 +2457,7 @@ static struct config_int ConfigureNamesInt[] = GUC_UNIT_KB, }, &ssl_renegotiation_limit, - 512 * 1024, 0, MAX_KILOBYTES, + 0, 0, MAX_KILOBYTES, NULL, NULL, NULL }, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 8dfd485e0b9..3845d57808b 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -83,7 +83,7 @@ # (change requires restart) #ssl_prefer_server_ciphers = on # (change requires restart) #ssl_ecdh_curve = 'prime256v1' # (change requires restart) -#ssl_renegotiation_limit = 512MB # amount of data between renegotiations +#ssl_renegotiation_limit = 0 # amount of data between renegotiations #ssl_cert_file = 'server.crt' # (change requires restart) #ssl_key_file = 'server.key' # (change requires restart) #ssl_ca_file = '' # (change requires restart)