Re: [PATCH] add ssl_protocols configuration option
| От | Magnus Hagander |
|---|---|
| Тема | Re: [PATCH] add ssl_protocols configuration option |
| Дата | |
| Msg-id | CABUevEyAehByVLEEUhHjdrx5uoyU1h2zkOkLmp1ihRxxYfHx6g@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [PATCH] add ssl_protocols configuration option (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: [PATCH] add ssl_protocols configuration option
|
| Список | pgsql-hackers |
<p dir="ltr"><br /> On Oct 19, 2014 9:18 PM, "Tom Lane" <<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>>wrote:<br /> ><br /> > Magnus Hagander <<a href="mailto:magnus@hagander.net">magnus@hagander.net</a>>writes:<br /> > > On Sun, Oct 19, 2014 at 6:17 PM, TomLane <<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>> wrote:<br /> > >> And in the end, if weset values like this from PG --- whether<br /> > >> hard-wired or via a GUC --- the SSL library people will haveexactly<br /> > >> the same perspective with regards to *our* values. And not without<br /> > >> reason;we were forcing very obsolete settings up till recently,<br /> > >> because nobody had looked at the issuefor a decade. I see no reason<br /> > >> to expect that that history won't repeat itself.<br /> ><br />> > The best part would be if we could just leave it up to the SSL<br /> > > library, but at least the opensslone doesn't have an API that lets us<br /> > > do that, right? We *have* to pick something...<br /> ><br/> > As far as protocol version goes, I think our existing coding basically<br /> > says "prefer newest availableversion, but at least TLS 1.0". I think<br /> > that's probably a reasonable approach.<br /> ><br /><p dir="ltr">Yes,it does that. Though it only does it on 9.4,but with the facts we know now, what 9.4+ does is perfectly safe.<p dir="ltr">/Magnus
В списке pgsql-hackers по дате отправления: