Re: Recent vendor SSL renegotiation patches break PostgreSQL

2010/2/22 Chris Campbell <chris_campbell@mac.com>:
> On Feb 22, 2010, at 12:25 PM, Tom Lane wrote:
>
>> I think we already missed the window where it would have been sensible
>> to install a hack workaround for this.  If we'd done that in November
>> it might have been reasonable, but by now it's too late for any hack
>> we install to spread much faster than fixed openssl libraries.
>
> Could we simply ignore renegotiation errors? Or change them to warnings? That may enable us to work with the
semi-fixedOpenSSL libraries that are currently in the field, without disabling the functionality altogether. 

I guess we could, but if we do that then we've opened a window where
someone can attack us if we *have* a properly working openssl, haven't
we?


-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/