Re: SSL renegotiation

On Fri, Jul 12, 2013 at 08:51:52PM -0400, Noah Misch wrote:
> On Fri, Jul 12, 2013 at 04:32:52PM -0400, Alvaro Herrera wrote:
> > Now, should we support the 0.9.6-and-earlier mechanism?  My
> > inclination is no; even RHEL 3, the oldest supported Linux
> > distribution, uses 0.9.7 (Heck, even Red Hat Linux 9, released on
> > 2003).  To see OpenSSL 0.9.6 you need to go back to Red Hat Linux
> > 7.2, released on 2001 using a Linux kernel 2.4.  Surely no one in
> > their right mind would use a current Postgres release on such an
> > ancient animal.
> 
> Agreed.  The OpenSSL Project last applied a security fix to 0.9.6
> over eight years ago.  Compatibility with 0.9.6 has zero or negative
> value.

You've made a persuasive case that we should actively break backward
compatibility here.  Would that be complicated to do?

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate