[PostgreSQL-Hackers] Recent vendor SSL renegotiation patches break PostgreSQL

[PostgreSQL-Hackers] Recent vendor SSL renegotiation patches break PostgreSQL

	Michael Ledford
	Feb 3, 2010 at 3:56 pm

On Wed, Feb 3, 2010 at 10:21 AM, Tom Lane wrote:
Bad idea: once set, it'll never get unset, thus leaving installations
with a weakened security posture even after they've installed fixed
versions of openssl.

regards, tom lane

One might argue that the current method is already weakened as it is
measured by the amount of data sent instead of of a length of time. A
session could live a long time under the 512MB threshold depending on
the queries that are being performed.

Michael

Search Discussions

Discussion Posts

Chris Campbell: Is there a way to detect when the SSL library has renegotiation disabled? (Either at compile-time or runtime, although runtime would definitely be better because we’ll change our behavior if/when the user updates their SSL library.) If so, we could skip renegotiation when it’s disabled in the library, but otherwise perform renegotiation like we normally do (every 512 MB, I think it is). Also, the official OpenSSL patch provides a way for the application to re-enable renegotiation. I don’t think

Follow ups

Related Discussions

Discussion Navigation

view	thread \| post
posts	‹ prev \| 8 of 42 \| next ›

Discussion Overview

group	pgsql-hackers @
categories	postgresql
posted	Feb 3, '10 at 11:25a
active	Feb 25, '10 at 3:10p
posts	42
users	12
website	postgresql.org...
irc	#postgresql

font	variable	Hotkey: f
user style	avatars	Hotkey: a

[PostgreSQL-Hackers] Recent vendor SSL renegotiation patches break PostgreSQL

Search Discussions

Discussion Posts

Related Discussions

12 users in discussion