| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Nathan Mueller <nmueller(at)cs(dot)wisc(dot)edu> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: 7.3.1 stamped |
| Date: | 2002-12-18 04:29:10 |
| Message-ID: | 200212180429.gBI4TAM08655@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Nathan Mueller wrote:
> > I am confused. How can we switch back to SSLv23_method and still be
> > compatible with TLSv1_method. Does SSLv23_method support both?
>
> SSLv23 understands SSLv2, SSLv3 and TLSv1. When used in a client it uses
> SSLv2 but tells the server it can understand the other ones too. Check
> out the SSL_CTX_new manpage for a lot more details.
>
> > The SSL author didn't like SSLv23_method (especially SSLv2) and
> > I am not
> > confident to question his decision. We will just have to break
> > backward
> > compatibility with pre-7.3 clients. No one else has mentioned it as a
> > problem, and in fact most have probably already upgraded to 7.3, so we
> > should be OK.
>
> I agree, TLSv1 is a lot better but there's no point in breaking
> backwords compatibility when you don't have to. Also, given my problems
> with 7.3's SSL I'd be surprised if a lot of people who use it have made
> the switch.
Well, we break backward compatibility so people can't use SSL2 to
connect to the server. Backward compatibility to a broken protocol
isn't what I would call secure. Is that accurate?
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nathan Mueller | 2002-12-18 04:48:40 | Re: 7.3.1 stamped |
| Previous Message | Nathan Mueller | 2002-12-18 04:27:13 | Re: 7.3.1 stamped |