diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index df1d5f1..18e4f0f 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -606,6 +606,23 @@ SET ENABLE_SEQSCAN TO OFF; + + ssl_renegotiation_limit (int) + + ssl_renegotiation_limit configuration parameter + + + + Specifies how much data can flow over an SSL encrypted connection + before renegotiation of the session will take place. Renegotiation of the + session decreases the chance of doing cryptanalysis when large amounts of data + are sent, but is also carries a large performance penalty. The sum of + sent and received traffic is used to check the limit. If the parameter is + set to 0, renegotiation is disabled. + + + + ssl_ciphers (string) diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 3269523..91586dd 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -98,7 +98,7 @@ static const char *SSLerrmessage(void); * How much data can be sent across a secure connection * (total in both directions) before we require renegotiation. */ -#define RENEGOTIATION_LIMIT (512 * 1024 * 1024) +int ssl_renegotiation_limit; static SSL_CTX *SSL_context = NULL; static bool ssl_loaded_verify_locations = false; @@ -320,7 +320,7 @@ secure_write(Port *port, void *ptr, size_t len) { int err; - if (port->count > RENEGOTIATION_LIMIT) + if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024) { SSL_set_session_id_context(port->ssl, (void *) &SSL_context, sizeof(SSL_context)); diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index da3d83e..07bd503 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -132,6 +132,7 @@ extern bool optimize_bounded_sort; #ifdef USE_SSL extern char *SSLCipherSuites; +extern int ssl_renegotiation_limit; #endif static void set_config_sourcefile(const char *name, char *sourcefile, @@ -1969,6 +1970,16 @@ static struct config_int ConfigureNamesInt[] = }, { + {"ssl_renegotiation_limit", PGC_SUSET, CONN_AUTH_SECURITY, + gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."), + NULL, + GUC_UNIT_KB, + }, + &ssl_renegotiation_limit, + 512 * 1024, 0, MAX_KILOBYTES, NULL, NULL + }, + + { {"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER, gettext_noop("Maximum number of TCP keepalive retransmits."), gettext_noop("This controls the number of consecutive keepalive retransmits that can be " diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 1d2b9f0..b550132 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -80,6 +80,7 @@ #ssl = off # (change requires restart) #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers # (change requires restart) +#ssl_renegotiation_limit = 512MB # amount of data between renegotiations #password_encryption = on #db_user_namespace = off