Bruce Momjian wrote:
> Marc G. Fournier wrote:
>
>>>>My suggestion would be to eventually phase out ssl2 in favor of ssl3 or
>>>>tls. And, as we are phasing it out, make it an opt-in thing, where the
>>>>dba has to turn on ssl2 KNOWING he is turning on a flawed protocol.
>>>
>>>That was sort of my point --- if we allow SSLv2 in the server, are we
>>>open to any security problems? Maybe not. I just don't know.
There are some weaknesses in SSLv2 that were fixed in SSLv3, but
it takes a knowledgeable attacker to exploit them. Anyone who is
seriously concerned can easily change the startup code in both
client and server and migrate to TLSv1. We kept the current
approach solely for backward compatibilty.
Bear