On Wed, 18 Dec 2002, Bruce Momjian wrote:
> scott.marlowe wrote:
> > > I wasn't sure how insecure SSL2 was, and whether it allowed you to
> > > authenticate without a password or something.
> > SSL2 seems to get a lot of votes for being broken in ways that cannot be
> > fixed because they aren't simple buffer overflows. see:
> > http://www.lne.com/ericm/papers/ssl_servers.html#1.2
> > My suggestion would be to eventually phase out ssl2 in favor of ssl3 or
> > tls. And, as we are phasing it out, make it an opt-in thing, where the
> > dba has to turn on ssl2 KNOWING he is turning on a flawed protocol.
> That was sort of my point --- if we allow SSLv2 in the server, are we
> open to any security problems? Maybe not. I just don't know.
My understanding of SSL/TLS is that the DBA himself has to enable it ...
there has to be a server/client key setup, similar to how it gets done
with Apache for https connections ... can someone confirm whether this is
In response to
pgsql-hackers by date
|Next:||From: Marc G. Fournier||Date: 2002-12-19 02:34:07|
|Subject: Re: 7.3.1 stamped|
|Previous:||From: Christopher Kings-Lynne||Date: 2002-12-19 02:14:13|
|Subject: Fancy ADD COLUMN|