Skip site navigation (1) Skip section navigation (2)

Re: [HACKERS] Re: SSL patch

From: The Hermit Hacker <scrappy(at)hub(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <mha(at)sollentuna(dot)net>, pgsql-interfaces(at)hub(dot)org, pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: [HACKERS] Re: SSL patch
Date: 1999-07-23 17:16:56
Message-ID: Pine.BSF.4.05.9907231415070.78452-100000@thelab.hub.org (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-interfaces
On Fri, 23 Jul 1999, Tom Lane wrote:

> Magnus Hagander <mha(at)sollentuna(dot)net> writes:
> > I've now finished "polishing off" my old SSL code, and rewritten it to work
> > with 6.6 (current snapshot). Included is the patch against the cvs tree from
> > Jul 22nd.
> 
> Cool.  Secure connections are good.
> 
> > Unfortunatly, in order to allow for negotiated SSL, this patch breaks the
> > current protocol (meaning old clients will not work with the new server, and
> > the other way around). I felt it was better to break this here, than to
> > break the frontend API (which would otherwise have been required).
> 
> This is *not* cool.  Breaking both clients and servers, whether they
> actually support SSL or not, is a bit much, don't you think?  Especially
> when the way you propose to do it makes it impossible for a server to
> support both old and new clients: by the time the server finds out the
> client's protocol version, it's already done something incompatible
> with old clients.
> 
> I think there must be some way of signaling SSL support capability
> without making a backwards-incompatible change in the startup protocol.
> At a minimum an SSL-enabled server must be able to accept connections
> from pre-SSL clients.
> 
> If nothing better comes to mind, we could have SSL-capable servers
> listen at two port addresses, say 5432 for insecure connections and
> 5433 for secure ones.  But there's probably a better way.
> 
> BTW, it should be possible for the dbadmin to configure a server to
> accept *only* secured connections, perhaps from a subset of users/hosts;
> that would take a new column in pg_hba.conf.  Didn't look at your patch
> closely enough to see if you already did that...

I may be lost here, so forgive me ahead of time...but, if I'm reading
Magnus' email correctly, this just breaks backward compatibility...with
the change, pre-6.6 clients would not be able to talk to a 6.6 server, but
6.7 and 6.6 would be compatible?

If this is correct, I've lost what the problem is here, except that, if
this is the case, such a change shoudl signal a new major number release,
vs just minor...

Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
Systems Administrator @ hub.org 
primary: scrappy(at)hub(dot)org           secondary: scrappy(at){freebsd|postgresql}.org 


In response to

pgsql-hackers by date

Next:From: Magnus HaganderDate: 1999-07-23 17:32:55
Subject: RE: [INTERFACES] Re: SSL patch
Previous:From: Bruce MomjianDate: 1999-07-23 16:30:27
Subject: Re: [PORTS] RedHat6.0 & Alpha

pgsql-interfaces by date

Next:From: Tom LaneDate: 1999-07-23 20:38:32
Subject: Re: [HACKERS] Re: SSL patch
Previous:From: Peter MountDate: 1999-07-23 17:07:24
Subject: Re: [INTERFACES] Connection from win95 to postgresql using JDBC and jdk1.2

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group