Home > mailing lists

Re: Allow ssl_renegotiation_limit in PG 9.5 - Mailing list pgsql-hackers

From	Shay Rojansky
Subject	Re: Allow ssl_renegotiation_limit in PG 9.5
Date	October 14, 2015 20:52:41
Msg-id	CADT4RqCkLWhCt5fr1ySmSXYa2LZA8dGGgk5=eKYtxpOtN5-o+g@mail.gmail.com Whole thread Raw
In response to	Re: Allow ssl_renegotiation_limit in PG 9.5 (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: Allow ssl_renegotiation_limit in PG 9.5 (Albe Laurenz <laurenz.albe@wien.gv.at>)
List	pgsql-hackers

Tree view

Just to give some added reasoning...

As Andres suggested, Npgsql sends ssl_renegotiation_limit=0 because we've seen renegotiation bugs with the standard .NET SSL implementation (which Npgsql uses). Seems like everyone has a difficult time with renegotiation.

As Tom suggested, it gets sent in the startup packet so that DISCARD/RESET ALL resets back to 0 and not to the default 512MB (in older versions). Npgsql itself issues DISCARD ALL in its connection pool implementation to reset the connection to its original opened state, and of course users may want to do it themselves. Having SSL renegotiation accidentally turned on because a user sent RESET ALL, when the SSL implementation is known to have issues, is something to be avoided...

Shay

pgsql-hackers by date:

From: Andres Freund
Date: 14 October 2015, 20:50:36
Subject: Re: Proposal: pg_confcheck - syntactic & semantic validation of postgresql configuration files

From: Alvaro Herrera
Date: 14 October 2015, 20:56:42
Subject: Re: Can extension build own SGML document?

Re: Allow ssl_renegotiation_limit in PG 9.5 - Mailing list pgsql-hackers

Previous

Next