disable ssl by default for PG connections to workaround renegotiation issues

2014-07-01 15:19:16 +02:00 · 2014-07-01 15:19:16 +02:00 · c0ea3343c3
parent e9363ddf4e
commit c0ea3343c3
3 changed files with 15 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -211,6 +211,9 @@ For more options see:
 Sorry, that's all documentation for the moment.


+Note: TLS/SSL support is disabled by default due to the lack of renegotiation support in Go's TLS implementation. You can re-enable encryption by setting the `PGSSLMODE` environment variable or the `sslmode` connection option to `require` or `verify-full`, eg: `-connect postgis://host/dbname?sslmode=require`. You will need to disable renegotiation support on your server to prevent connection errors on larger imports. You can do this by setting `ssl_renegotiation_limit` to 0 in your PostgreSQL server configuration.
+
+
 Support
 -------

--- a/database/postgis/postgis.go
+++ b/database/postgis/postgis.go
@ -570,7 +570,7 @@ func New(conf database.Config, m *mapping.Mapping) (database.DB, error) {
 	if err != nil {
 		return nil, err
 	}
-	params = disableDefaultSslOnLocalhost(params)
+	params = disableDefaultSsl(params)
 	params, db.Prefix = stripPrefixFromConnectionParams(params)

 	for name, table := range m.Tables {
--- a/database/postgis/util.go
+++ b/database/postgis/util.go
@ -8,33 +8,29 @@ import (
 	"sync"
 )

-// disableDefaultSslOnLocalhost adds sslmode=disable to params
-// when host is localhost/127.0.0.1 and the sslmode param and
-// PGSSLMODE environment are both not set.
-func disableDefaultSslOnLocalhost(params string) string {
+// disableDefaultSsl adds sslmode=disable to params
+// when sslmode param and PGSSLMODE environment are both not set.
+//
+// Reason: PG will renegotiate encryption after 512MB by default, but
+// Go's TLS does not suport renegotiation. Disable SSL to work around that.
+// See: https://code.google.com/p/go/issues/detail?id=5742
+// and ssl_renegotiation_limit on:
+// http://www.postgresql.org/docs/9.1/static/runtime-config-connection.html
+
+func disableDefaultSsl(params string) string {
 	parts := strings.Fields(params)
-	isLocalHost := false
 	for _, p := range parts {
 		if strings.HasPrefix(p, "sslmode=") {
 			return params
 		}
-		if p == "host=localhost" || p == "host=127.0.0.1" || strings.HasPrefix(p,"host=/") {
-			isLocalHost = true
-		}
-	}
-
-	if !isLocalHost {
-		return params
 	}

 	for _, v := range os.Environ() {
-		parts := strings.SplitN(v, "=", 2)
-		if parts[0] == "PGSSLMODE" {
+		if strings.HasPrefix(v, "PGSSLMODE=") {
 			return params
 		}
 	}

-	// found localhost but explicit no sslmode, disable sslmode
 	return params + " sslmode=disable"
 }