Re: SSL renegotiation

On Fri, Jul 12, 2013 at 08:51:52PM -0400, Noah Misch wrote:
> On Fri, Jul 12, 2013 at 04:32:52PM -0400, Alvaro Herrera wrote:
> > Now, should we support the 0.9.6-and-earlier mechanism? My
> > inclination is no; even RHEL 3, the oldest supported Linux
> > distribution, uses 0.9.7 (Heck, even Red Hat Linux 9, released on
> > 2003). To see OpenSSL 0.9.6 you need to go back to Red Hat Linux
> > 7.2, released on 2001 using a Linux kernel 2.4. Surely no one in
> > their right mind would use a current Postgres release on such an
> > ancient animal.
>
> Agreed. The OpenSSL Project last applied a security fix to 0.9.6
> over eight years ago. Compatibility with 0.9.6 has zero or negative
> value.

You've made a persuasive case that we should actively break backward
compatibility here. Would that be complicated to do?

Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate