| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, Dave Cramer <davecramer(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: OpenSSL key renegotiation with patched openssl |
| Date: | 2009-11-30 21:21:10 |
| Message-ID: | 9837222c0911301321g724291efw821dc74d5640486a@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2009/11/27 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
> Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> writes:
>> Tom Lane wrote:
>>> The discussion I saw suggested that you need such a patch at both ends.
>
>> and likely requires a restart of both postgresql and slony afterwards...
>
> Actually, after looking through the available info about this:
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
> I think my comment above is wrong. It is useful to patch the
> *server*-side library to reject a renegotiation request. Applying that
> patch on the client side, however, is useless and simply breaks things.
I haven't looked into the details but - is there a point for us to
remove the requests for renegotiation completely? Will this help those
that *haven't* upgraded their openssl library? I realize it's not
necessarily our bug to fix, but if we can help.. :) If a patched
version of openssl ignores the renegotiation anyway, there's nothing
lost if we turn it off in postgresql, is there?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2009-11-30 21:22:25 | Re: New VACUUM FULL |
| Previous Message | Simon Riggs | 2009-11-30 21:18:59 | Re: Block-level CRC checks |