From: | Dave Cramer <pg(at)fastcrypt(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: OpenSSL key renegotiation with patched openssl |
Date: | 2009-11-30 16:43:30 |
Message-ID: | 491f66a50911300843g1372208ct83df67f24c09983@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Nov 27, 2009 at 4:58 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> writes:
>> Tom Lane wrote:
>>> The discussion I saw suggested that you need such a patch at both ends.
>
>> and likely requires a restart of both postgresql and slony afterwards...
>
> Actually, after looking through the available info about this:
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
> I think my comment above is wrong. It is useful to patch the
> *server*-side library to reject a renegotiation request. Applying that
> patch on the client side, however, is useless and simply breaks things.
>
> regards, tom lane
I've looked at the available patches for openssl, and so far can only
see that ssl3_renegotiate returns 0 if a renegotiation is requested,
which would cause pg to throw an error. Is there another patch that
fixes this ? I would have expected openssl to simply ignore this
request if renegotiation is removed from the library ?
Dave
>
From | Date | Subject | |
---|---|---|---|
Next Message | Hans-Jürgen Schönig | 2009-11-30 16:46:45 | Re: draft RFC: concept for partial, wal-based replication |
Previous Message | Tom Lane | 2009-11-30 16:39:18 | Re: Empty dictionary file when creating text search dictionary |