Skip site navigation (1) Skip section navigation (2)

Re: SSL (patch 2)

From: Bear Giles <bgiles(at)coyotesong(dot)com>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Bear Giles <bgiles(at)coyotesong(dot)com>, pgsql-patches(at)postgresql(dot)org
Subject: Re: SSL (patch 2)
Date: 2002-05-27 21:47:59
Message-ID: 200205272147.PAA10863@eris.coyotesong.com (view raw or flat)
Thread:
Lists: pgsql-patches
> Bear Giles writes:
> 
> > This patch adds calls to SSL_get_error() after SSL_read() and
> > SSL_write(), adds SSL_shutdown() before SSL_free(), and changes
> > default protocol from SSLv3 to TLSv1.
> 
> What are the advantages and ramifications of changing this protocol?  If
> it's the "default" protocol, how can I change it?  Patch is OK besides
> that.

It's politics.  SSL was written by Netscape, Microsoft came out with
their own incompatible extensions, and the IETF formed a group to find
a solution that left nobody happy but which everyone could live with.
It would have been adopted years ago except that the X.509 group
got hung up on something, and since TLS depends on X.509 it couldn't
be adopted until X.509 was.

So now SSL is essentially dead - it works, but it won't be fixed if
another security hole is found (which how SSLv2 begat SSLv3).  TLSv1
wants you to do some things that SSLv3 lets slide.

The only potential downside is that I'm not entirely sure old libraries
will be happy with the new server, but the rest of the changes are so
profound that the release notes should strongly recommend that anyone 
using direct SSL upgrade anyway, so it's easier to make this change now
than in a future release.

Bear

In response to

pgsql-patches by date

Next:From: Joe ConwayDate: 2002-05-27 21:56:07
Subject: Re: revised sample SRF C function; proposed SRF API
Previous:From: Joe ConwayDate: 2002-05-27 21:45:54
Subject: Re: small dblink patch

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group