From: | The Hermit Hacker <scrappy(at)hub(dot)org> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Magnus Hagander <mha(at)sollentuna(dot)net>, pgsql-interfaces(at)hub(dot)org, pgsql-hackers(at)postgreSQL(dot)org |
Subject: | Re: [HACKERS] Re: SSL patch |
Date: | 1999-07-23 17:16:56 |
Message-ID: | Pine.BSF.4.05.9907231415070.78452-100000@thelab.hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-interfaces |
On Fri, 23 Jul 1999, Tom Lane wrote:
> Magnus Hagander <mha(at)sollentuna(dot)net> writes:
> > I've now finished "polishing off" my old SSL code, and rewritten it to work
> > with 6.6 (current snapshot). Included is the patch against the cvs tree from
> > Jul 22nd.
>
> Cool. Secure connections are good.
>
> > Unfortunatly, in order to allow for negotiated SSL, this patch breaks the
> > current protocol (meaning old clients will not work with the new server, and
> > the other way around). I felt it was better to break this here, than to
> > break the frontend API (which would otherwise have been required).
>
> This is *not* cool. Breaking both clients and servers, whether they
> actually support SSL or not, is a bit much, don't you think? Especially
> when the way you propose to do it makes it impossible for a server to
> support both old and new clients: by the time the server finds out the
> client's protocol version, it's already done something incompatible
> with old clients.
>
> I think there must be some way of signaling SSL support capability
> without making a backwards-incompatible change in the startup protocol.
> At a minimum an SSL-enabled server must be able to accept connections
> from pre-SSL clients.
>
> If nothing better comes to mind, we could have SSL-capable servers
> listen at two port addresses, say 5432 for insecure connections and
> 5433 for secure ones. But there's probably a better way.
>
> BTW, it should be possible for the dbadmin to configure a server to
> accept *only* secured connections, perhaps from a subset of users/hosts;
> that would take a new column in pg_hba.conf. Didn't look at your patch
> closely enough to see if you already did that...
I may be lost here, so forgive me ahead of time...but, if I'm reading
Magnus' email correctly, this just breaks backward compatibility...with
the change, pre-6.6 clients would not be able to talk to a 6.6 server, but
6.7 and 6.6 would be compatible?
If this is correct, I've lost what the problem is here, except that, if
this is the case, such a change shoudl signal a new major number release,
vs just minor...
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy(at)hub(dot)org secondary: scrappy(at){freebsd|postgresql}.org
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 1999-07-23 17:32:55 | RE: [INTERFACES] Re: SSL patch |
Previous Message | Bruce Momjian | 1999-07-23 16:30:27 | Re: [PORTS] RedHat6.0 & Alpha |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 1999-07-23 20:38:32 | Re: [HACKERS] Re: SSL patch |
Previous Message | Peter Mount | 1999-07-23 17:07:24 | Re: [INTERFACES] Connection from win95 to postgresql using JDBC and jdk1.2 |