Re: PostgreSQL not setting OpenSSL session id context?
Andreas Karlsson <andreas@proxel.se>
From: Andreas Karlsson <andreas@proxel.se>
To: Shay Rojansky <roji@roji.org>, Andres Freund <andres@anarazel.de>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Heikki Linnakangas <hlinnaka@iki.fi>,
pgsql-hackers@postgresql.org
Date: 2017-08-06T20:55:02Z
Lists: pgsql-hackers
On 08/04/2017 08:48 PM, Shay Rojansky wrote: > On 2017-08-04 07:22:42 +0300, Shay Rojansky wrote: > > I'm still not convinced of the risk/problem of simply setting the session > > id context as I explained above (rather than disabling the optimization), > > but of course either solution resolves my problem. > > How would that do anything? Each backend has it's own local > memory. I.e. any cache state that openssl would maintain wouldn't be > useful. If you want to take advantage of features around this you really > need to cache tickets in shared memory... > > Guys, there's no data being cached at the backend - RFC5077 is about > packaging information into a client-side opaque session ticket that > allows skipping a roundtrip on the next connection. As I said, simply > setting the session id context (*not* the session id or anything else) > makes this feature work, even though a completely new backend process is > launched. Yes, session tickets are encrypted data which is stored by the client. But if we are going to support them I think we should do it properly with new GUCs for the key file and disabling the feature. Using a key file is less necessary for PostgreSQL than for a web server since it is less common to do round robin load balancing between different PostgreSQL instances. Andreas
Commits
-
Disallow SSL session tickets.
- c180d2eb7614 9.2.22 landed
- dda04b9dd1bd 9.3.18 landed
- bebee333c3d2 9.5.8 landed
- b798ea88ac6e 9.6.4 landed
- 97d3a0b0900a 10.0 landed
- 8d05db3d8e0c 9.4.13 landed