From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Tatsuo Ishii <ishii(at)postgresql(dot)org>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Question regarding SSL code in backend and frontend |
Date: | 2012-04-06 16:47:17 |
Message-ID: | CABUevEzMhF=v2oMt9K27+6m=-RiWxm=ZRpA7RHrD+ZWWO3RBzw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Apr 6, 2012 at 18:43, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> True. I guess I was just assuming that JDBC (and npgsql i think?) were
>> using TLS - I would assume that to be the default in both Java and
>> .NET. We'd have to check that before making a change of course - and
>> I'm not convinced we need to make the change. But if we're making a
>> change to align those two with each other, that's the direction the
>> change should be in.
>
> Agreed, but should we align them? IIUC, changing the server would cause
> it to reject connections from old non-TLS-aware clients. Seems like
> that isn't a particularly good idea.
Well, it would be a good idea for those that want to be sure they're
using TLS for security reasons (tlsv1 is more secure than sslv3 - see
e.g. http://en.wikipedia.org/wiki/Transport_Layer_Security#Security).
We could also add a server parameter saying ssl_tls_only or something
like that which would switch it...
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2012-04-06 18:29:29 | Re: Optimizing Nested Correlated Queries by decorrelation: GSOC 2012 Project |
Previous Message | Tom Lane | 2012-04-06 16:43:31 | Re: Question regarding SSL code in backend and frontend |