Robert Haas <robertmhaas@gmail.com> writes:
> I am not persuaded by this argument. Suppose we added a server option
> like ssl_port which causes us to listen on an additional port and, on
> that port, everything, from the first byte on this connection, is
> encrypted using SSL.
Right, a separate port number (much akin to http 80 vs https 443) is
pretty much the only way this could be managed. That's messy enough
that I don't see anyone wanting to do it for purely-hypothetical
benefits. If we'd done it that way from the start, it'd be fine;
but there's way too much established practice now.
> Now that being said, https://www.openldap.org/faq/data/cache/605.html
> claims that ldaps (encrpyt from the first byte) is deprecated in favor
> of STARTTLS (encrypt by negotiation). It's interesting that Jacob is
> proposing to introduce as a new and better option the thing they've
> decided they don't like.
Indeed, that is interesting. I wonder if we can find the discussions
that led to that decision.
regards, tom lane