Re: Should we back-patch SSL renegotiation fixes?
| От | Heikki Linnakangas |
|---|---|
| Тема | Re: Should we back-patch SSL renegotiation fixes? |
| Дата | |
| Msg-id | 558BF85A.5040206@iki.fi обсуждение исходный текст |
| Ответ на | Should we back-patch SSL renegotiation fixes? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On 06/25/2015 03:03 PM, Andres Freund wrote: > The situation is this: We have broken code using broken code. I think we > either got to apply, darn nontrivial, fixes from > http://archives.postgresql.org/message-id/54DE6FAF.6050005%40vmware.com > or we got to cripple the options. > > It's also not the first breakage, we've applied a lot of bandaids to > this code already. Our way of doing renegotiation also has broken > several SSL client implementations... Note that even with those patches, renegotiation is still broken in some scenarios: http://www.postgresql.org/message-id/54DCF736.2060207@vmware.com. As far as I can tell, OpenSSL's handling of renegotiation is fundamentally broken, and there is nothing we can do in the application to completely work around that. +1 for changing the default to disable renegotiation, in all branches. - Heikki
В списке pgsql-hackers по дате отправления: