Re: Should we back-patch SSL renegotiation fixes?
| От | Tom Lane |
|---|---|
| Тема | Re: Should we back-patch SSL renegotiation fixes? |
| Дата | |
| Msg-id | 10237.1435187962@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Should we back-patch SSL renegotiation fixes? (Robert Haas <robertmhaas@gmail.com>) |
| Список | pgsql-hackers |
Robert Haas <robertmhaas@gmail.com> writes:
> On Wed, Jun 24, 2015 at 3:49 PM, Andres Freund <andres@anarazel.de> wrote:
>> On 2015-06-24 15:41:22 -0400, Peter Eisentraut wrote:
>>> One more argument for leaving everything alone. If users don't like it,
>>> they can turn it off themselves.
>> Because it's so obvious to get there from "SSL error: unexpected
>> message", "SSL error: bad write retry" or "SSL error: unexpected record"
>> to disabling renegotiation. Right? Search the archives and you'll find
>> plenty of those, mostly in relation to streaming rep. It took -hackers
>> years to figure out what causes those, how are normal users supposed to
>> a) correlate such errors with renegotiation b) evaluate what do about
>> it?
> We could document the issues, create release-note entries suggesting a
> configuration change, and/or blog about it.
> I don't accept the argument that there are not ways to tell users
> about things they might want to do.
I think there's a strong argument for changing the default setting to
zero (no renegotiation), even in the back branches.
regards, tom lane
В списке pgsql-hackers по дате отправления: