| From: | Dag-Erling Smørgrav <des(at)des(dot)no> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-10-22 13:16:56 |
| Message-ID: | 864muwdz1z.fsf@nine.des.no |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> And in the end, if we set values like this from PG --- whether
> hard-wired or via a GUC --- the SSL library people will have exactly
> the same perspective with regards to *our* values. And not without
> reason; we were forcing very obsolete settings up till recently,
> because nobody had looked at the issue for a decade. I see no reason
> to expect that that history won't repeat itself.
I'm not sure what you're saying here, but - I'm not sure how familiar
you are with the OpenSSL API, but it's insecure by default. There is
*no other choice* for an application than to explicitly select which
protocols it wants to use (or at least which protocols it wants to
avoid). And you can't change OpenSSL, because a ton of old crappy
software is going to break.
DES
--
Dag-Erling Smørgrav - des(at)des(dot)no
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2014-10-22 13:20:51 | Re: BUG: *FF WALs under 9.2 (WAS: .ready files appearing on slaves) |
| Previous Message | Teodor Sigaev | 2014-10-22 13:14:43 | speedup tidbitmap patch: hash BlockNumber |