Skip site navigation (1) Skip section navigation (2)

Re: 7.3.1 stamped

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: "scott(dot)marlowe" <scott(dot)marlowe(at)ihs(dot)com>
Cc: "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>,Nathan Mueller <nmueller(at)cs(dot)wisc(dot)edu>,PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: 7.3.1 stamped
Date: 2002-12-18 21:28:13
Message-ID: 200212182128.gBILSDJ18421@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
scott.marlowe wrote:
> > I wasn't sure how insecure SSL2 was, and whether it allowed you to
> > authenticate without a password or something.
> 
> SSL2 seems to get a lot of votes for being broken in ways that cannot be 
> fixed because they aren't simple buffer overflows.  see:
> 
> http://www.lne.com/ericm/papers/ssl_servers.html#1.2
> 
> My suggestion would be to eventually phase out ssl2 in favor of ssl3 or 
> tls.  And, as we are phasing it out, make it an opt-in thing, where the 
> dba has to turn on ssl2 KNOWING he is turning on a flawed protocol.

That was sort of my point --- if we allow SSLv2 in the server, are we
open to any security problems?  Maybe not.  I just don't know.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

Responses

pgsql-hackers by date

Next:From: Neil ConwayDate: 2002-12-18 23:24:20
Subject: Re: MySQL 4.1 Features
Previous:From: Bruce MomjianDate: 2002-12-18 21:25:23
Subject: Re: v7.3.1 tar ready ... please check it ...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group