disable ssl by default for PG connections to workaround renegotiation issues
parent
e9363ddf4e
commit
c0ea3343c3
|
@ -211,6 +211,9 @@ For more options see:
|
|||
Sorry, that's all documentation for the moment.
|
||||
|
||||
|
||||
Note: TLS/SSL support is disabled by default due to the lack of renegotiation support in Go's TLS implementation. You can re-enable encryption by setting the `PGSSLMODE` environment variable or the `sslmode` connection option to `require` or `verify-full`, eg: `-connect postgis://host/dbname?sslmode=require`. You will need to disable renegotiation support on your server to prevent connection errors on larger imports. You can do this by setting `ssl_renegotiation_limit` to 0 in your PostgreSQL server configuration.
|
||||
|
||||
|
||||
Support
|
||||
-------
|
||||
|
||||
|
|
|
@ -570,7 +570,7 @@ func New(conf database.Config, m *mapping.Mapping) (database.DB, error) {
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
params = disableDefaultSslOnLocalhost(params)
|
||||
params = disableDefaultSsl(params)
|
||||
params, db.Prefix = stripPrefixFromConnectionParams(params)
|
||||
|
||||
for name, table := range m.Tables {
|
||||
|
|
|
@ -8,33 +8,29 @@ import (
|
|||
"sync"
|
||||
)
|
||||
|
||||
// disableDefaultSslOnLocalhost adds sslmode=disable to params
|
||||
// when host is localhost/127.0.0.1 and the sslmode param and
|
||||
// PGSSLMODE environment are both not set.
|
||||
func disableDefaultSslOnLocalhost(params string) string {
|
||||
// disableDefaultSsl adds sslmode=disable to params
|
||||
// when sslmode param and PGSSLMODE environment are both not set.
|
||||
//
|
||||
// Reason: PG will renegotiate encryption after 512MB by default, but
|
||||
// Go's TLS does not suport renegotiation. Disable SSL to work around that.
|
||||
// See: https://code.google.com/p/go/issues/detail?id=5742
|
||||
// and ssl_renegotiation_limit on:
|
||||
// http://www.postgresql.org/docs/9.1/static/runtime-config-connection.html
|
||||
|
||||
func disableDefaultSsl(params string) string {
|
||||
parts := strings.Fields(params)
|
||||
isLocalHost := false
|
||||
for _, p := range parts {
|
||||
if strings.HasPrefix(p, "sslmode=") {
|
||||
return params
|
||||
}
|
||||
if p == "host=localhost" || p == "host=127.0.0.1" || strings.HasPrefix(p,"host=/") {
|
||||
isLocalHost = true
|
||||
}
|
||||
}
|
||||
|
||||
if !isLocalHost {
|
||||
return params
|
||||
}
|
||||
|
||||
for _, v := range os.Environ() {
|
||||
parts := strings.SplitN(v, "=", 2)
|
||||
if parts[0] == "PGSSLMODE" {
|
||||
if strings.HasPrefix(v, "PGSSLMODE=") {
|
||||
return params
|
||||
}
|
||||
}
|
||||
|
||||
// found localhost but explicit no sslmode, disable sslmode
|
||||
return params + " sslmode=disable"
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue