Patch applied. Thanks.
---------------------------------------------------------------------------
Sean Chittenden wrote:
> Well, the discussion about SSL a bit back perked my interest and I did
> some reading on the subject.
>
> 1) PostgreSQL uses ephemeral keying, for its connections (good thing)
>
> 2) PostgreSQL doesn't set the cipher list that it allows (bad thing,
> fixed)
>
> 3) PostgreSQL's renegotiation code wasn't text book correct (could be
> bad, fixed)
>
> 4) The rate of renegotiating was insanely low (as Tom pointed out, set
> to a more reasonable level)
>
> I haven't checked around much to see if there are any other SSL bits
> that need some review, but I'm doing some OpenSSL work right now
> and'll send patches for improvements along the way (if I find them).
> At the very least, the changes in this patch will make security folks
> happier for sure. The constant renegotiation of sessions was likely a
> boon to systems that had bad entropy gathering means (read: Slowaris
> /dev/rand|/dev/urand != ANDIrand). The new limit for renegotiations
> is 512MB which should be much more reasonable.
>
> -sc
>
> --
> Sean Chittenden
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
