Re: OpenSSL key renegotiation with patched openssl

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, Dave Cramer <davecramer(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: OpenSSL key renegotiation with patched openssl
Date: 2009-11-30 21:43:21
Message-ID: 12085.1259617401@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> I haven't looked into the details but - is there a point for us to
> remove the requests for renegotiation completely?

The periodic renegotiations are a recommended security measure.
Fixing one hole by introducing a different attack vector doesn't
seem to me to be an improvement. Also, when would we undo it?
At least with the current situation, there is an incentive for
people to get a corrected version of openssl as soon as possible
(not "patched", since what this patch does is break essential
functionality; but actually fixed).

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Craig Ringer 2009-11-30 21:45:09 Re: draft RFC: concept for partial, wal-based replication
Previous Message Robert Haas 2009-11-30 21:38:30 Re: Application name patch - v4