diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index df1d5f1..18e4f0f 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -606,6 +606,23 @@ SET ENABLE_SEQSCAN TO OFF;
+
+ ssl_renegotiation_limit (int)
+
+ ssl_renegotiation_limit> configuration parameter
+
+
+
+ Specifies how much data can flow over an SSL> encrypted connection
+ before renegotiation of the session will take place. Renegotiation of the
+ session decreases the chance of doing cryptanalysis when large amounts of data
+ are sent, but is also carries a large performance penalty. The sum of
+ sent and received traffic is used to check the limit. If the parameter is
+ set to 0, renegotiation is disabled.
+
+
+
+
ssl_ciphers (string)
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 3269523..91586dd 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -98,7 +98,7 @@ static const char *SSLerrmessage(void);
* How much data can be sent across a secure connection
* (total in both directions) before we require renegotiation.
*/
-#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
+int ssl_renegotiation_limit;
static SSL_CTX *SSL_context = NULL;
static bool ssl_loaded_verify_locations = false;
@@ -320,7 +320,7 @@ secure_write(Port *port, void *ptr, size_t len)
{
int err;
- if (port->count > RENEGOTIATION_LIMIT)
+ if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024)
{
SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
sizeof(SSL_context));
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index da3d83e..07bd503 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -132,6 +132,7 @@ extern bool optimize_bounded_sort;
#ifdef USE_SSL
extern char *SSLCipherSuites;
+extern int ssl_renegotiation_limit;
#endif
static void set_config_sourcefile(const char *name, char *sourcefile,
@@ -1969,6 +1970,16 @@ static struct config_int ConfigureNamesInt[] =
},
{
+ {"ssl_renegotiation_limit", PGC_SUSET, CONN_AUTH_SECURITY,
+ gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."),
+ NULL,
+ GUC_UNIT_KB,
+ },
+ &ssl_renegotiation_limit,
+ 512 * 1024, 0, MAX_KILOBYTES, NULL, NULL
+ },
+
+ {
{"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER,
gettext_noop("Maximum number of TCP keepalive retransmits."),
gettext_noop("This controls the number of consecutive keepalive retransmits that can be "
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 1d2b9f0..b550132 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -80,6 +80,7 @@
#ssl = off # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
+#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
#password_encryption = on
#db_user_namespace = off