Skip to content
Snippets Groups Projects
Select Git revision
  • benchmark-tools
  • postgres-lambda
  • master default
  • REL9_4_25
  • REL9_5_20
  • REL9_6_16
  • REL_10_11
  • REL_11_6
  • REL_12_1
  • REL_12_0
  • REL_12_RC1
  • REL_12_BETA4
  • REL9_4_24
  • REL9_5_19
  • REL9_6_15
  • REL_10_10
  • REL_11_5
  • REL_12_BETA3
  • REL9_4_23
  • REL9_5_18
  • REL9_6_14
  • REL_10_9
  • REL_11_4
23 results
Compare
user avatar
Disable ssl renegotiation by default.
Andres Freund authored 
While postgres' use of SSL renegotiation is a good idea in theory, it
turned out to not work well in practice. The specification and openssl's
implementation of it have lead to several security issues. Postgres' use
of renegotiation also had its share of bugs.

Additionally OpenSSL has a bunch of bugs around renegotiation, reported
and open for years, that regularly lead to connections breaking with
obscure error messages. We tried increasingly complex workarounds to get
around these bugs, but we didn't find anything complete.

Since these connection breakages often lead to hard to debug problems,
e.g. spuriously failing base backups and significant latency spikes when
synchronous replication is used, we have decided to change the default
setting for ssl renegotiation to 0 (disabled) in the released
backbranches and remove it entirely in 9.5 and master..

Author: Michael Paquier, with changes by me
Discussion: 20150624144148.GQ4797@alap3.anarazel.de
Backpatch: 9.0-9.4; 9.5 and master get a different patch
2f91e7bb
History
user avatar 2f91e7bb
History
Name Last commit Last update
..
ref
.gitignore
Makefile
README.links
acronyms.sgml
adminpack.sgml
advanced.sgml
arch-dev.sgml
array.sgml
auth-delay.sgml
auto-explain.sgml
backup.sgml
biblio.sgml
bki.sgml
btree-gin.sgml
btree-gist.sgml
catalogs.sgml
charset.sgml
chkpass.sgml
citext.sgml
client-auth.sgml
config.sgml
contacts.sgml
contrib-spi.sgml
contrib.sgml
cube.sgml
datatype.sgml
datetime.sgml
dblink.sgml
ddl.sgml
dfunc.sgml
dict-int.sgml
dict-xsyn.sgml
diskusage.sgml
dml.sgml
docguide.sgml
dummy-seclabel.sgml
earthdistance.sgml
ecpg.sgml
errcodes.sgml
extend.sgml
external-projects.sgml
fdwhandler.sgml
features.sgml
file-fdw.sgml
filelist.sgml
fixrtf
func.sgml
fuzzystrmatch.sgml
generate-errcodes-table.pl
geqo.sgml
gin.sgml
gist.sgml
high-availability.sgml
history.sgml
hstore.sgml
indexam.sgml
indices.sgml
info.sgml
information_schema.sgml
install-windows.sgml
installation.sgml
intagg.sgml
intarray.sgml
intro.sgml
isn.sgml
jadetex.cfg
keywords.sgml
legal.sgml
libpq.sgml
lo.sgml
lobj.sgml
ltree.sgml
maintenance.sgml
manage-ag.sgml
mk_feature_tables.pl
monitoring.sgml
mvcc.sgml
nls.sgml
notation.sgml
oid2name.sgml
pageinspect.sgml
passwordcheck.sgml
perform.sgml
pgarchivecleanup.sgml
pgbench.sgml
pgbuffercache.sgml
pgcrypto.sgml
pgfreespacemap.sgml
pgrowlocks.sgml
pgstandby.sgml
pgstatstatements.sgml
pgstattuple.sgml
pgtestfsync.sgml
pgtesttiming.sgml
pgtrgm.sgml
pgupgrade.sgml
planstats.sgml
plhandler.sgml
plperl.sgml