Re: Should we back-patch SSL renegotiation fixes?

On 2015-06-26 09:53:30 -0400, Robert Haas wrote:
> On Thu, Jun 25, 2015 at 8:03 AM, Andres Freund <andres(at)anarazel(dot)de> wrote:
> >> I don't accept the argument that there are not ways to tell users
> >> about things they might want to do.
> >
> > We probably could do that. But why would we want to? It's just as much
> > work, and puts the onus on more people?
>
> Because it doesn't force a behavior change down everyone's throat.

Generally I'd agree that that is a bad thing. But there's really not
much of a observable behaviour change in this case? Except that
connections using ssl break less often.

> If it were just a question of back-porting fixes, even someone
> invasive ones, well, maybe that's what we have to do; that's pretty
> much exactly what we are planning to do for the MultiXact case

There's no way we can reasonably "disable" multixacts, so I don't think
these situations are comparable.

> but according to Heikki, this is broken even in master and can't really be
> fixed unless and until OpenSSL gets their act together.

Yes, that's my conclusion as well, leading to my position in this
thread.

> That's a hard argument to argue with, and I think I'm on board with
> it.

Given that reported bugs for openssl around this have existed since
about 2002 without any effort at fixing, I think it's seriously unlikely
that they ever will.

Greetings,

Andres Freund