diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 38ebe2a24a418bb99030565e19f9cde5e01cbb48..cca5e79f9e08ba5bfe3f9cbbc98750a5c8ec4021 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.33 2003/05/27 17:49:46 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.34 2003/06/11 15:05:50 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -124,7 +124,7 @@ static const char *SSLerrmessage(void);
  *	How much data can be sent across a secure connection
  *	(total in both directions) before we require renegotiation.
  */
-#define RENEGOTIATION_LIMIT (64 * 1024)
+#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
 #define CA_PATH NULL
 static SSL_CTX *SSL_context = NULL;
 #endif
@@ -320,8 +320,11 @@ secure_write(Port *port, void *ptr, size_t len)
 				elog(COMMERROR, "SSL renegotiation failure");
 			if (SSL_do_handshake(port->ssl) <= 0)
 				elog(COMMERROR, "SSL renegotiation failure");
-			port->ssl->state = SSL_ST_ACCEPT;
-			if (SSL_do_handshake(port->ssl) <= 0)
+			if (port->ssl->state != SSL_ST_OK)
+				elog(COMMERROR, "SSL failed to send renegotiation request");
+			port->ssl->state |= SSL_ST_ACCEPT;
+			SSL_do_handshake(port->ssl);
+			if (port->ssl->state != SSL_ST_OK)
 				elog(COMMERROR, "SSL renegotiation failure");
 			port->count = 0;
 		}
@@ -639,6 +642,13 @@ initialize_SSL(void)
 	SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
 	SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
 
+	/* setup the allowed cipher list */
+	if (SSL_CTX_set_cipher_list(SSL_context, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGH") != 1)
+	{
+		postmaster_error("unable to set the cipher list (no valid ciphers available)");
+		ExitPostmaster(1);
+	}
+
 	/* accept client certificates, but don't require them. */
 	snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);
 	if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH))