Magnus Hagander <magnus@hagander.net> writes:
> If so, shouldn't we try to disable renegotiation for all versions
> *before* it was properly fixed?
If we could tell that, sure. But I don't believe there is any way to
identify whether a given installation of openssl has this patched.
Please don't suggest looking at the version number --- Red Hat and
other vendors are in the habit of back-patching security fixes without
changing the version number.
> Which today means all versions released. The proper fix is in 0.9.8m,
> which is currently in beta. At least that's my understanding.
Red Hat's already shipping the patch. Dunno about other vendors.
The real bottom line here is that this isn't our bug. It's unfortunate
that we're affected by it, but that doesn't mean that we should be
installing kluges to work around it.
regards, tom lane