On 07/31/2017 02:24 AM, Shay Rojansky wrote:
Just to continue the above, I can confirm that adding a simple call to SSL_CTX_set_session_id_context() to be_tls_init() with some arbitrary const value fixes the error for me. Attached is a patch (ideally a test should be done for this, but that's beyond what I can invest at the moment, let me know if it's absolutely necessary).
I agree with Tom that we don't really want abbreviated SSL handshakes, or other similar optimizations, to take place. PostgreSQL connections are quite long-lived, so we have little to gain. But it makes the attack surface larger. There have been vulnerabilities related to SSL renegotiation, resumption, abbreviated handshakes, and all that.
I think we should actually call SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF), to disable session caching altogether. I'm not sure if we still need to call SSL_CTX_set_session_cache_mode() if we do that.
I know next-to-nothing about .Net; is there some easy way to download a .Net client application and test this?
- Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
