| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | Shay Rojansky <roji(at)roji(dot)org> |
| Cc: | "Pgsql-hackers(at)postgresql(dot)org" <Pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow ssl_renegotiation_limit in PG 9.5 |
| Date: | 2015-10-14 15:56:04 |
| Message-ID: | 20151014155604.GI30738@alap3.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2015-10-14 18:53:14 +0300, Shay Rojansky wrote:
> However, the new situation where some versions of PG allow this parameter
> while others bomb when seeing it. Specifically, Npgsql sends
> ssl_renegotiation_limit=0 in the startup packet to completely disable
> renegotiation. At this early stage it doesn't know yet whether the database
> it's connecting to is PG 9.5 or earlier.
I find it a rather debatable practice to send such a parameter
unconditionally. Why are you sending it before the connection has even
been established?
> Is there any chance you'd consider allowing ssl_renegotiation_limit in PG
> 9.5, without it having any effect (I think that's the current behavior for
> recent 9.4, 9.3, right)?
No, you can actually enable renegotiation in those versions, it's just a
changed default value.
> It may be a good idea to only allow this parameter to be set to zero,
> raising an error otherwise.
-0.1 from me.
Andres
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2015-10-14 16:30:39 | Re: Parallel Seq Scan |
| Previous Message | Shay Rojansky | 2015-10-14 15:53:14 | Allow ssl_renegotiation_limit in PG 9.5 |