| From: | Dag-Erling Smørgrav <des(at)des(dot)no> |
|---|---|
| To: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-10-23 07:30:24 |
| Message-ID: | 86ppdjb5v3.fsf@nine.des.no |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> Dag-Erling Smørgrav <des(at)des(dot)no> writes:
> > Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > > Since you can already specify the cipher list, couldn't you just
> > > add -SSLv3 to the cipher list and be done?
> > I didn't want to change the existing behavior; all I wanted was to
> > give users a way to do so if they wish.
> I think we should just disable SSL3.0 altogether. The only way this
> could cause problems is if people are using PostgreSQL with an OpenSSL
> library from last century. As for client libraries, even Windows XP
> supports TLS1.0.
As far as I'm concerned (i.e. as far as FreeBSD and the University of
Oslo are concerned), I couldn't care less about anything older than
0.9.8, which is what FreeBSD 8 and RHEL5 have, but I don't feel
comfortable making that decision for other people. On the gripping
hand, no currently supported version of libpq uses anything older than
TLS; 9.0 through 9.3 use TLS 1.0 only while 9.4 uses TLS 1.0 or higher.
DES
--
Dag-Erling Smørgrav - des(at)des(dot)no
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fujii Masao | 2014-10-23 07:34:07 | Re: BUG: *FF WALs under 9.2 (WAS: .ready files appearing on slaves) |
| Previous Message | Andreas Karlsson | 2014-10-23 07:25:05 | Re: Reducing lock strength of adding foreign keys |