Re: Slightly improved SSL bits...

Your patch has been added to the PostgreSQL unapplied patches list at:

    http://momjian.postgresql.org/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

---------------------------------------------------------------------------


Sean Chittenden wrote:
> Well, the discussion about SSL a bit back perked my interest and I did
> some reading on the subject.
>
> 1) PostgreSQL uses ephemeral keying, for its connections (good thing)
>
> 2) PostgreSQL doesn't set the cipher list that it allows (bad thing,
>    fixed)
>
> 3) PostgreSQL's renegotiation code wasn't text book correct (could be
>    bad, fixed)
>
> 4) The rate of renegotiating was insanely low (as Tom pointed out, set
>    to a more reasonable level)
>
> I haven't checked around much to see if there are any other SSL bits
> that need some review, but I'm doing some OpenSSL work right now
> and'll send patches for improvements along the way (if I find them).
> At the very least, the changes in this patch will make security folks
> happier for sure.  The constant renegotiation of sessions was likely a
> boon to systems that had bad entropy gathering means (read: Slowaris
> /dev/rand|/dev/urand != ANDIrand).  The new limit for renegotiations
> is 512MB which should be much more reasonable.
>
> -sc
>
> --
> Sean Chittenden

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073