The Build


Always Do This #2: ssl_renegotiation_limit = 0

21 December 2015

At the point that there are two separate warnings advising you to turn off a configuration parameter in postgresql.conf, it’s probably a good idea to take the advice and disable it.

In theory, this parameter sets a maximum amount of data that will flow over an SSL connection before key renegotiation, to prevent an eavesdropping attacker from determining the session key through collection of a large amount of ciphertext. In practice, it just causes broken connections and miscellaneous problems. Turn it off, especially in situations where you have funky networking and long-standing SSL connections (such as between a primary and secondary).

Ian Barwick at 18:15, 23 December 2015:

FWIW ssl_renegotiation_limit is effectively removed in 9.5 (it’s still there but undocumented and can’t be set to anything other than 0).