On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
> Alternatively, given that TLS has been around for a dozen years and
> openssl versions that old have not gotten security updates for a long
> time, why don't we just reject SSLv3 on the backend side too?
> I guess it's barely possible that somebody out there is using a
> non-libpq-based client that uses a non-TLS-capable SSL library, but
> surely anybody like that is overdue to move into the 21st century.
> An SSL library that old is probably riddled with security issues.
Attached patch disables SSLv3 in backend.
TLS is supported in OpenSSL since fork from SSLeay, in Java since 1.4.2,
in Windows since XP. It's hard to imagine this causing any
compatibility problems.
--
marko