Re: 7.3.1 stamped

Marc G. Fournier wrote:
> > In short, I wouldn't call SSLv2 insecure, just less secure then v3. I
> > think it's perfectly reasonable to phase it out, just not right now.
> > It'd be nice to have some sort of transition version so you wouldn't
> > have to switch over all your different client programs at the same time
> > you switch all the servers. My preference would be for backwords
> > compatibility in 7.3 and then eliminate it or provide a compile time
> > option in 7.4. If the client stays with TLSv1 newer clients will only
> > use the more secure protocols and older clients will still have the same
> > problems they did before. I don't think that's too much of a problem.
>
> Actually, would be nice if someone submit'd a patch that make choosing
> which method a configure option :)
>
> If nobody else does it, I'll try after I get back from my folks after the
> holidays ...

Well, I had time to research it and looked at that URL on SSL2
vunerabilities. Seems all the problems are with man in the middle
cases, and with doconnections not being properly authenticated. They
are not of the variety where you could just attach to the port and
somehow bypass a password prompt or anything like that.

If users always use TSL-capable clients, there shouldn't be any issue.
I was kind of surprised that folks couldn't get the existing TLS code
working because I had it working here, and I don't have the newest
setup. I though that TSL support was merely having a more recent
version of OpenSSL --- at least that's how I understood it from the SSL
author Bear.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073