Quick Links

Re: Recent vendor SSL renegotiation patches break PostgreSQL

From:	Chris Campbell <chris_campbell(at)mac(dot)com>
To:	Robert Haas <robertmhaas(at)gmail(dot)com>
Cc:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: Recent vendor SSL renegotiation patches break PostgreSQL
Date:	2010-02-03 15:35:00
Message-ID:	29CD7C5E-24DB-459C-875B-3E05108E4892@mac.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Is there a way to detect when the SSL library has renegotiation disabled? (Either at compile-time or runtime, although runtime would definitely be better because we’ll change our behavior if/when the user updates their SSL library.)

If so, we could skip renegotiation when it’s disabled in the library, but otherwise perform renegotiation like we normally do (every 512 MB, I think it is).

Also, the official OpenSSL patch provides a way for the application to re-enable renegotiation. I don’t think all implementations will do so, though (e.g., some vendors might have patched it differently).

- Chris

In response to

Re: Recent vendor SSL renegotiation patches break PostgreSQL at 2010-02-03 15:28:48 from Robert Haas

Responses

Re: Recent vendor SSL renegotiation patches break PostgreSQL at 2010-02-03 16:58:36 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Tom Lane	2010-02-03 15:48:20	Re: [COMMITTERS] pgsql: Assorted cleanups in preparation for using a map file to support
Previous Message	Tom Lane	2010-02-03 15:34:04	Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]