Monday, March 29, 2010

SSL Renegotiation patch

Hi all!

Albe Laurenz called my attention to a new patch applied to Postgresql servers which allows the administrator to set a value telling server when it will start SSL renegotiations. This parameter also allows you to disable the renegotiation.[1]

Today, I committed a patch which tries to disable SSL Renegotiation on supported postgresql servers, which means, servers which had this patch applied. According to Albe those server versions are: 9.0, 8.4.3, 8.3.10, 8.2.16, 8.1.20, 8.0.24, 7.4.28.

This patch simple calls:

SET ssl_renegotiation_limit=0

as suggested by Albe.

One positive side effect of this modification is that it serves as an workaround
to SSL renegotiation problem with Npgsql.
Today, Npgsql has problems with this, as can be seen on this bug report[2]. Although this patch isn't a solution, at least it makes Npgsql works on long SSL sessions.

If you want to try it out now, please grab latest code from cvs and let us know if you got any problems on our forums: http://forums.npgsql.org


[1] http://archives.postgresql.org/pgsql-committers/2010-02/msg00363.php

[2]http://lists.pgfoundry.org/pipermail/npgsql-devel/2010-February/001065.html

No comments: