Re: SSL (patch 2)
| От | Bear Giles |
|---|---|
| Тема | Re: SSL (patch 2) |
| Дата | |
| Msg-id | 200205272147.PAA10863@eris.coyotesong.com обсуждение |
| Ответ на | Re: SSL (patch 2) (Peter Eisentraut <peter_e@gmx.net>) |
| Список | pgsql-patches |
> Bear Giles writes: > > > This patch adds calls to SSL_get_error() after SSL_read() and > > SSL_write(), adds SSL_shutdown() before SSL_free(), and changes > > default protocol from SSLv3 to TLSv1. > > What are the advantages and ramifications of changing this protocol? If > it's the "default" protocol, how can I change it? Patch is OK besides > that. It's politics. SSL was written by Netscape, Microsoft came out with their own incompatible extensions, and the IETF formed a group to find a solution that left nobody happy but which everyone could live with. It would have been adopted years ago except that the X.509 group got hung up on something, and since TLS depends on X.509 it couldn't be adopted until X.509 was. So now SSL is essentially dead - it works, but it won't be fixed if another security hole is found (which how SSLv2 begat SSLv3). TLSv1 wants you to do some things that SSLv3 lets slide. The only potential downside is that I'm not entirely sure old libraries will be happy with the new server, but the rest of the changes are so profound that the release notes should strongly recommend that anyone using direct SSL upgrade anyway, so it's easier to make this change now than in a future release. Bear
В списке pgsql-patches по дате отправления: