Re: Allow ssl_renegotiation_limit in PG 9.5 - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Allow ssl_renegotiation_limit in PG 9.5
Date
Msg-id 31677.1444844386@sss.pgh.pa.us
Whole thread Raw
In response to Re: Allow ssl_renegotiation_limit in PG 9.5  (Alvaro Herrera <alvherre@2ndquadrant.com>)
Responses Re: Allow ssl_renegotiation_limit in PG 9.5
List pgsql-hackers
Alvaro Herrera <alvherre@2ndquadrant.com> writes:
> Andres Freund wrote:
>> On 2015-10-14 14:19:40 -0300, Alvaro Herrera wrote:
>>> I think we could continue to have the parameter except that it throws an
>>> error if you try to set it to something other than 0.

>> That'll make it hard to ever remove it tho.

> What would you recommend then?  Forcing the user to specify the version
> before the connection is established is not nice.

Yeah.  I thought about telling Shay to set the variable after establishing
the connection, but there's a problem with that: if the user issues RESET
ALL then his setting would go away.  (IIRC, settings established in the
connection packet are considered to be what to reset to; but a SET sent
just after connection would not be.)

The only other alternative is to make a second connection attempt if the
first fails, which is pretty messy.

If we think it's legit for npgsql to try to force renegotiation off,
then we have to give pretty serious consideration to putting the variable
back as Alvaro suggests.
        regards, tom lane



pgsql-hackers by date:

Previous
From: Amir Rohan
Date:
Subject: Re: Proposal: pg_confcheck - syntactic & semantic validation of postgresql configuration files
Next
From: Christopher Browne
Date:
Subject: Re: Can extension build own SGML document?