Skip site navigation (1) Skip section navigation (2)

Re: Recent vendor SSL renegotiation patches break PostgreSQL

From: Chris Campbell <chris_campbell(at)mac(dot)com>
To: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Recent vendor SSL renegotiation patches break PostgreSQL
Date: 2010-02-03 15:20:04
Message-ID: 41EE6009-A3E0-4C3A-8A83-BB39D934B461@mac.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Feb 3, 2010, at 10:16 AM, Stefan Kaltenbrunner wrote:

> Robert Haas wrote:
>> On Wed, Feb 3, 2010 at 6:24 AM, Chris Campbell <chris_campbell(at)mac(dot)com> wrote:
>>> The flurry of patches that vendors have recently been making to OpenSSL to address
>>> the potential man-in-the-middle attack during SSL renegotiation have disabled SSL
>>> renegotiation altogether in the OpenSSL libraries. Applications that make use of SSL
>>> renegotiation, such as PostgreSQL, start failing.
>> Should we think about adding a GUC to disable renegotiation until this
>> blows over?
> 
> hmm I wonder if we should not go as far as removing the whole renegotiation code, from the field it seems that there are very very few daemons actually doing that kind forced renegotiation.

There was a discussion about the relevance and consequences of SSL renegotiation on this list back in 2003:

    http://archives.postgresql.org/pgsql-interfaces/2003-04/msg00075.php

Personally, my production servers have been patched to remove renegotiation completely, and I’m comfortable with the consequences of that for my usage.

- Chris


In response to

pgsql-hackers by date

Next:From: Robert HaasDate: 2010-02-03 15:20:52
Subject: Re: Largeobject Access Controls (r2460)
Previous:From: Stefan KaltenbrunnerDate: 2010-02-03 15:16:29
Subject: Re: Recent vendor SSL renegotiation patches break PostgreSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group