From: Tom Lane on
Michael Ledford <mledford(a)gmail.com> writes:
> One might argue that the current method is already weakened as it is
> measured by the amount of data sent instead of of a length of time. A
> session could live a long time under the 512MB threshold depending on
> the queries that are being performed.

Renegotiation after X amount of data is the recommended method AFAIK,
because it limits the volume of data available to cryptanalysis.
What makes you think that elapsed time is relevant at all?

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Chris Campbell <chris_campbell(a)mac.com> writes:
> Is there a way to detect when the SSL library has renegotiation disabled?

Probably not. The current set of emergency security patches would
certainly not have exposed any new API that would help us tell this :-(

If said patches were done properly they'd have also turned an
application-level renegotiation request into a no-op, instead of
breaking apps by making it fail --- but apparently they were not done
properly.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Wed, Feb 3, 2010 at 11:52 AM, Michael Ledford <mledford(a)gmail.com> wrote:
> On Wed, Feb 3, 2010 at 11:09 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
>> Renegotiation after X amount of data is the recommended method AFAIK,
>> because it limits the volume of data available to cryptanalysis.
>> What makes you think that elapsed time is relevant at all?
>
> You are correct. In that volume of data also matters. It depends on
> what kind of attack you are trying to minimize here. In my particular
> use case I fluctuate between idle and busy but mostly low bandwidth.
>
> You have four different primary cases that you are possible:

This may all be true, but I think we're getting off track. If we
force ANY negotiation (whether based on time or bytes transferred), we
will, apparently, break things. So I think that means we should have
a way to disable that behavior, for fear of dissuading people from
using SSL (or PostgreSQL) altogether, or hacking their own copies of
the source in ways that may be even uglier.

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Michael Ledford on
On Wed, Feb 3, 2010 at 11:09 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
>
> Renegotiation after X amount of data is the recommended method AFAIK,
> because it limits the volume of data available to cryptanalysis.
> What makes you think that elapsed time is relevant at all?
>
>                        regards, tom lane

You are correct. In that volume of data also matters. It depends on
what kind of attack you are trying to minimize here. In my particular
use case I fluctuate between idle and busy but mostly low bandwidth.

You have four different primary cases that you are possible:

1) timed method on an idle link (or low usage)
2) timed method on a busy link (or high usage)
3) data limit on an idle link (or low usage)
4) data limit on a busy link (or high usage)

The timed method is more optimal for case 1.
The data limit is more optimal for case 4.

Case 2 gives an attacker more data to do crypto-analysis.
Case 3 gives an attacker more time to work with the current secret key
on a live link.

Depending on your use case, being able to work with a live link is
worse than working with the data postmortem. There is I'm sure some
hybrid in the middle between these where optimal lives.

Michael

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Heikki Linnakangas on
Tom Lane wrote:
> Alvaro Herrera <alvherre(a)commandprompt.com> writes:
>> FWIW I think there's another problem with streaming replication here,
>> which is that most data flows from client to server, so it would take
>> quite some time for the threshold to be reached. Note that there's no
>> size check in the libpq frontend code. Normally this is not an issue
>> because the bulk of data is expected to flow in the other direction.
>
> Huh? I thought the slaves connect to the master, rather than the other
> way round?

Correct, slave connects to the master.

Alvaro is pointing out that most data flows from client to server, like
in COPY FROM. But the server counts both in- and out-going data against
the renegotiation limit, so the server will initiate renegotiation just
fine in that case too.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers