From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Dag-Erling Smørgrav <des(at)des(dot)no> |
Cc: | Alex Shulgin <ash(at)commandprompt(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH] add ssl_protocols configuration option |
Date: | 2014-11-20 09:26:37 |
Message-ID: | CABUevEzK+YGZtuhD7Dk49QHV5_MHDnD_pymQjXd6_Enp+O0wOw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Nov 20, 2014 at 10:19 AM, Dag-Erling Smørgrav <des(at)des(dot)no> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Alex Shulgin <ash(at)commandprompt(dot)com> writes:
>> > * The code allows specifying SSLv2 and SSLv3 in the GUC, but removes
>> > them forcibly after parsing the complete string (a warning is issued).
>> > Should we also add a note about this to the documentation?
>> I see no reason to accept them at all, if we're going to reject them
>> later anyway.
>>
>> We can argue (as was done earlier in this thread) if we can drop SSL
>> 3.0 completely -- but we can *definitely* drop SSLv2, and we should.
>> But anything that we're going to reject at a later stage anyway, we
>> should reject early.
>
> It's not really "early or late", but rather "within the loop or at the
> end of it". From the users' perspective, the difference is that they
> get (to paraphrase) "SSLv2 is not allowed" instead of "syntax error" and
> that they can use constructs such as "ALL:-SSLv2".
Ah, I see now - I hadn't looked at the code, just the review comment.
It's a "fallout" from the reverse logic in openssl. Then it makes a
lot more sense.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2014-11-20 09:37:33 | Re: Add shutdown_at_recovery_target option to recovery.conf |
Previous Message | Jeff Davis | 2014-11-20 09:21:55 | Re: group locking: incomplete patch, just for discussion |