From f8bd81b4cb6970c784e5c8250861df1e09cf323e Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Thu, 25 Feb 2010 13:26:19 +0000 Subject: Add configuration parameter ssl_renegotiation_limit to control how often we do SSL session key renegotiation. Can be set to 0 to disable renegotiation completely, which is required if a broken SSL library is used (broken patches to CVE-2009-3555 a known cause) or when using a client library that can't do renegotiation. --- src/backend/utils/misc/guc.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'src/backend/utils/misc/guc.c') diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index d9ff84593a1..d8a82ee10d3 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut . * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.360.2.6 2010/01/24 21:49:48 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.360.2.7 2010/02/25 13:26:19 mha Exp $ * *-------------------------------------------------------------------- */ @@ -103,6 +103,7 @@ extern int CommitDelay; extern int CommitSiblings; extern char *default_tablespace; extern bool fullPageWrites; +extern int ssl_renegotiation_limit; #ifdef TRACE_SORT extern bool trace_sort; @@ -1621,6 +1622,16 @@ static struct config_int ConfigureNamesInt[] = 0, 0, INT_MAX, assign_tcp_keepalives_interval, show_tcp_keepalives_interval }, + { + {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY, + gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."), + NULL, + GUC_UNIT_KB, + }, + &ssl_renegotiation_limit, + 512 * 1024, 0, MAX_KILOBYTES, NULL, NULL + }, + { {"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER, gettext_noop("Maximum number of TCP keepalive retransmits."), -- cgit v1.2.3