Re: Should we back-patch SSL renegotiation fixes?

On 2015-06-26 10:26:58 -0400, Robert Haas wrote:
> On Fri, Jun 26, 2015 at 9:59 AM, Andres Freund <andres(at)anarazel(dot)de> wrote:
> > Generally I'd agree that that is a bad thing. But there's really not
> > much of a observable behaviour change in this case? Except that
> > connections using ssl break less often.
>
> Well, SSL renegotiation exists for a reason: to improve security.

Well, except that even if it were implemented correctly it's far from
clear cut that it's a win:

If your argument is that key-rotation is beneficial because it gives an
attacker less encrypted material to analyze: That's not a good argument,
you're just giving him more information about the assymetric crypto side
of things instead about the session key which is ephemeral anyway.

I think they only real argument for it is that you want to limit the
amount of data you could decrypt if you gain access to the current
symmetric key via the client's memory . But that's not a particularly
large benefit.

> But it seems we have little choice, at least until we can support some
> other SSL implementation (and maybe not even then).

I read through one other SSL implementation (NSS), and I don't think
it's substantially better handled there. At least one other
implementations is ripping out support entirely already.