Magnus Hagander <magnus@hagander.net> writes:
> I haven't looked into the details but - is there a point for us to
> remove the requests for renegotiation completely?
The periodic renegotiations are a recommended security measure.
Fixing one hole by introducing a different attack vector doesn't
seem to me to be an improvement. Also, when would we undo it?
At least with the current situation, there is an incentive for
people to get a corrected version of openssl as soon as possible
(not "patched", since what this patch does is break essential
functionality; but actually fixed).
regards, tom lane