On 06/25/2015 03:03 PM, Andres Freund wrote:
> The situation is this: We have broken code using broken code. I think we
> either got to apply, darn nontrivial, fixes from
> http://archives.postgresql.org/message-id/54DE6FAF.6050005%40vmware.com
> or we got to cripple the options.
>
> It's also not the first breakage, we've applied a lot of bandaids to
> this code already. Our way of doing renegotiation also has broken
> several SSL client implementations...
Note that even with those patches, renegotiation is still broken in some
scenarios:
http://www.postgresql.org/message-id/54DCF736.2060207@vmware.com. As far
as I can tell, OpenSSL's handling of renegotiation is fundamentally
broken, and there is nothing we can do in the application to completely
work around that.
+1 for changing the default to disable renegotiation, in all branches.
- Heikki