I am confused. How can we switch back to SSLv23_method and still be
compatible with TLSv1_method. Does SSLv23_method support both?
The SSL author didn't like SSLv23_method (especially SSLv2) and I am not
confident to question his decision. We will just have to break backward
compatibility with pre-7.3 clients. No one else has mentioned it as a
problem, and in fact most have probably already upgraded to 7.3, so we
should be OK.
---------------------------------------------------------------------------
Nathan Mueller wrote:
> > I believe that pre7-3 SSL clients will work in 7.3.1, or am I wrong?
>
> In 7.3 the SSL protocol switched from SSLv2 to TLSv1. If the server
> method is switched to SSLv23_method it will be backwords compatable with
> pre-7.3 clients without sacrificing the added security of TLSv1 for
> newer stuff. There's been a lot of other changes to the SSL code between
> 7.2 and 7.3, but I've tested this out and haven't found any problems.
> I've included a patch to src/backend/libpq/be-secure.c if you're
> interested.
>
> --Nate
>
> --- be-secure.c 13 Dec 2002 18:06:44 -0000 1.3
> +++ be-secure.c 18 Dec 2002 04:16:19 -0000
> @@ -587,7 +587,7 @@
> {
> SSL_library_init();
> SSL_load_error_strings();
> - SSL_context = SSL_CTX_new(TLSv1_method());
> + SSL_context = SSL_CTX_new(SSLv23_method());
> if (!SSL_context)
> {
> postmaster_error("failed to create SSL
> context: %s",
>
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073