| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Chris Campbell <chris_campbell(at)mac(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Recent vendor SSL renegotiation patches break PostgreSQL |
| Date: | 2010-02-20 17:55:27 |
| Message-ID: | 11872.1266688527@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Bruce Momjian <bruce(at)momjian(dot)us> writes:
> Tom Lane wrote:
>> Chris Campbell <chris_campbell(at)mac(dot)com> writes:
>>> Is there a way to detect when the SSL library has renegotiation disabled?
>>
>> Probably not. The current set of emergency security patches would
>> certainly not have exposed any new API that would help us tell this :-(
>>
>> If said patches were done properly they'd have also turned an
>> application-level renegotiation request into a no-op, instead of
>> breaking apps by making it fail --- but apparently they were not done
>> properly.
> Is there anything remaining to do on this issue?
I'm not sure. My impression is that by the time we had anything in the
field, there will be real fixes for the SSL renegotiation problem.
So all we'd be accomplishing is to weaken security for people who have
those fixes, to cater to people who are using copies of openssl they'd
obtained in the past couple of months and then not updated to latest.
However, if anyone thinks that the SSL problem isn't going to get fixed
promptly, maybe it needs more consideration.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2010-02-20 17:57:55 | Re: PGXS: REGRESS_OPTS=--load-language=plpgsql |
| Previous Message | Tom Lane | 2010-02-20 17:49:55 | Re: PGXS: REGRESS_OPTS=--load-language=plpgsql |