Put back ssl_renegotiation_limit parameter, but only allow 0.

Per a report from Shay Rojansky, Npgsql sends ssl_renegotiation_limit=0
in the startup packet because it does not support renegotiation; other
clients which have not attempted to support renegotiation might well
behave similarly.  The recent removal of this parameter forces them to
break compatibility with either current PostgreSQL versions, or
previous ones.  Per discussion, the best solution is to accept the
parameter but only allow a value of 0.

Shay Rojansky, edited a little by me.
This commit is contained in:
Robert Haas 2015-10-20 09:56:04 -04:00
parent 5be94a9eb1
commit 84ef9c596e
1 changed files with 19 additions and 0 deletions

View File

@ -436,6 +436,14 @@ int tcp_keepalives_idle;
int tcp_keepalives_interval;
int tcp_keepalives_count;
/*
* SSL renegotiation was been removed in PostgreSQL 9.5, but we tolerate it
* being set to zero (meaning never renegotiate) for backward compatibility.
* This avoids breaking compatibility with clients that have never supported
* renegotiation and therefore always try to zero it.
*/
int ssl_renegotiation_limit;
/*
* This really belongs in pg_shmem.c, but is defined here so that it doesn't
* need to be duplicated in all the different implementations of pg_shmem.c.
@ -2579,6 +2587,17 @@ static struct config_int ConfigureNamesInt[] =
NULL, assign_tcp_keepalives_interval, show_tcp_keepalives_interval
},
{
{"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
gettext_noop("SSL regenotiation is no longer supported; this can only be 0"),
NULL,
GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE,
},
&ssl_renegotiation_limit,
0, 0, 0,
NULL, NULL, NULL
},
{
{"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER,
gettext_noop("Maximum number of TCP keepalive retransmits."),