From 8b33d83cc59d38a83f7cd4abe7738835e24f8624 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 25 Feb 2010 23:45:29 +0000 Subject: Back-patch addition of ssl_renegotiation_limit into 7.4 through 8.1. --- doc/src/sgml/runtime.sgml | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'doc/src') diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 58aa9650bc7..73d7da7ec84 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ @@ -755,6 +755,32 @@ SET ENABLE_SEQSCAN TO OFF; + + ssl_renegotiation_limit (int) + + ssl_renegotiation_limit configuration parameter + + + + Specifies how much data can flow over an SSL encrypted connection + before renegotiation of the session will take place. Renegotiation of the + session decreases the chance of doing cryptanalysis when large amounts of data + are sent, but it also carries a large performance penalty. The sum of + sent and received traffic is used to check the limit. If the parameter is + set to 0, renegotiation is disabled. The default is 512MB. + + + + SSL libraries from before November 2009 are insecure when using SSL + renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix + for this vulnerability, some vendors also shipped SSL libraries incapable + of doing renegotiation. If any of these libraries are in use on the client + or server, SSL renegotiation should be disabled. + + + + + password_encryption (boolean) -- cgit v1.2.3