| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Shay Rojansky <roji(at)roji(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL not setting OpenSSL session id context? |
| Date: | 2017-07-31 11:54:22 |
| Message-ID: | a0b0c09a-554d-4ff0-8aab-3268bda41db6@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 07/31/2017 02:24 AM, Shay Rojansky wrote:
> Just to continue the above, I can confirm that adding a simple call
> to SSL_CTX_set_session_id_context() to be_tls_init() with some arbitrary
> const value fixes the error for me. Attached is a patch (ideally a test
> should be done for this, but that's beyond what I can invest at the moment,
> let me know if it's absolutely necessary).
I agree with Tom that we don't really want abbreviated SSL handshakes,
or other similar optimizations, to take place. PostgreSQL connections
are quite long-lived, so we have little to gain. But it makes the attack
surface larger. There have been vulnerabilities related to SSL
renegotiation, resumption, abbreviated handshakes, and all that.
I think we should actually call SSL_CTX_set_session_cache_mode(ctx,
SSL_SESS_CACHE_OFF), to disable session caching altogether. I'm not sure
if we still need to call SSL_CTX_set_session_cache_mode() if we do that.
I know next-to-nothing about .Net; is there some easy way to download a
.Net client application and test this?
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashutosh Bapat | 2017-07-31 11:59:31 | Re: Partition-wise join for join between (declaratively) partitioned tables |
| Previous Message | Beena Emerson | 2017-07-31 11:53:10 | Minor comment update in partition.c |