diff options
| author | Magnus Hagander <magnus@hagander.net> | 2010-02-25 13:26:19 +0000 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2010-02-25 13:26:19 +0000 |
| commit | f8bd81b4cb6970c784e5c8250861df1e09cf323e (patch) | |
| tree | 3b24d5ac325d5078ab56a0deedcaac5719f5b9d3 /doc/src | |
| parent | 2c0914be737f81c2d0c020bf44fb66d92281c3a6 (diff) | |
| download | postgresql-f8bd81b4cb6970c784e5c8250861df1e09cf323e.tar.gz postgresql-f8bd81b4cb6970c784e5c8250861df1e09cf323e.zip | |
Add configuration parameter ssl_renegotiation_limit to control
how often we do SSL session key renegotiation. Can be set to
0 to disable renegotiation completely, which is required if
a broken SSL library is used (broken patches to CVE-2009-3555
a known cause) or when using a client library that can't do
renegotiation.
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index f6d446553ca..770b95ab287 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.98.2.6 2007/05/15 15:35:58 neilc Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.98.2.7 2010/02/25 13:26:19 mha Exp $ --> <chapter Id="runtime-config"> <title>Server Configuration</title> @@ -569,6 +569,32 @@ SET ENABLE_SEQSCAN TO OFF; </listitem> </varlistentry> + <varlistentry id="guc-ssl-renegotiation-limit" xreflabel="ssl_renegotiation_limit"> + <term><varname>ssl_renegotiation_limit</varname> (<type>int</type>)</term> + <indexterm> + <primary><varname>ssl_renegotiation_limit</> configuration parameter</primary> + </indexterm> + <listitem> + <para> + Specifies how much data can flow over an <acronym>SSL</> encrypted connection + before renegotiation of the session will take place. Renegotiation of the + session decreases the chance of doing cryptanalysis when large amounts of data + are sent, but it also carries a large performance penalty. The sum of + sent and received traffic is used to check the limit. If the parameter is + set to 0, renegotiation is disabled. The default is <literal>512MB</>. + </para> + <note> + <para> + SSL libraries from before November 2009 are insecure when using SSL + renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix + for this vulnerability, some vendors also shipped SSL libraries incapable + of doing renegotiation. If any of these libraries are in use on the client + or server, SSL renegotiation should be disabled. + </para> + </note> + </listitem> + </varlistentry> + <varlistentry id="guc-password-encryption" xreflabel="password_encryption"> <term><varname>password_encryption</varname> (<type>boolean</type>)</term> <indexterm> |