| From: | Dag-Erling Smørgrav <des(at)des(dot)no> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-10-23 18:56:49 |
| Message-ID: | 86vbnazkb2.fsf@nine.des.no |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Anyone who is feeling paranoid about shutting off SSLv3 despite (1)
> can do so via the existing ssl_ciphers GUC parameter [...] the ciphers
> string includes categories corresponding to protocol versions, so you
> can shut off an old protocol version there if you need to.
The overlap between SSL 3.0 and TLS 1.0 is 100%:
% openssl ciphers SSLv2 | md5
fe5ff23432f119364a1126ca0776c5db
% openssl ciphers SSLv3 | md5
bde4e4a10b9c3f323c0632ad067e293a
% openssl ciphers TLSv1 | md5
bde4e4a10b9c3f323c0632ad067e293a
% openssl ciphers TLSv1.2 | md5
26c375b6bdefb018b9dd7df463658320
Thus, if you disable all SSL 3.0 ciphers, you also disable TLS 1.0.
DES
--
Dag-Erling Smørgrav - des(at)des(dot)no
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joe Van Dyk | 2014-10-23 18:59:12 | ltree::text not immutable? |
| Previous Message | Florian Pflug | 2014-10-23 18:41:46 | Re: Question about RI checks |