| From: | Florian Weimer <fweimer(at)redhat(dot)com> |
|---|---|
| To: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Andres Freund <andres(at)2ndquadrant(dot)com>, Emil Lenngren <emil(dot)lenngren(at)gmail(dot)com> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: SSL renegotiation |
| Date: | 2015-03-23 12:19:25 |
| Message-ID: | 551004CD.8030004@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02/23/2015 04:01 PM, Albe Laurenz wrote:
>> I think you could remove renegotiation from PostgreSQL as long as you
>> offer something better than RC4 in the TLS handshake.
>
> I'd say it is best to wait if and how OpenSSL change their API when they
> implement TLS 1.3.
>
> I'd vote against removing renegotiation.
I'm just suggesting that the effort required to fix bugs in this part of
PostgreSQL could be spent better elsewhere.
> If changing the encryption is so useless, whe did the TLS workgroup
> decide to introduce rekeying as a substitute for renegotiation?
Theoretical considerations, mostly. If rekeying is strictly required
after processing just a few petabytes, the cipher is severely broken and
should no longer be used.
--
Florian Weimer / Red Hat Product Security
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Вадим Горбачев | 2015-03-23 12:37:50 | Fwd: proposal GSoC 2015 task: Allow access to the database via HTTP |
| Previous Message | Michael Paquier | 2015-03-23 11:50:40 | Exposing PG_VERSION_NUM in pg_config |