Re: SSL renegotiation

On 2015-02-22 01:27:54 +0100, Emil Lenngren wrote:
> I honestly wonder why postgres uses renegotiation at all. The motivation
> that cryptoanalysis is easier as more data is sent seems quite
> far-fetched.

I don't think so. There's a fair number of algorithms that can/could be
much easier be attached with lots of data available. Especially if you
can guess/know/control some of the data.  Additionally renegotiating
regularly helps to constrain a possible key leagage to a certain amount
of time. With backend connections often being alive for weeks at a time
that's not a bad thing.

And it's not just us. E.g. openssh also triggers renegotiations based on
the amount of data sent.

Greetings,

Andres Freund

-- Andres Freund                       http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services