Re: [PATCH] add ssl_protocols configuration option
| От | Magnus Hagander |
|---|---|
| Тема | Re: [PATCH] add ssl_protocols configuration option |
| Дата | |
| Msg-id | CABUevEzK+YGZtuhD7Dk49QHV5_MHDnD_pymQjXd6_Enp+O0wOw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [PATCH] add ssl_protocols configuration option (Dag-Erling Smørgrav <des@des.no>) |
| Список | pgsql-hackers |
On Thu, Nov 20, 2014 at 10:19 AM, Dag-Erling Smørgrav <des@des.no> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> Alex Shulgin <ash@commandprompt.com> writes: >> > * The code allows specifying SSLv2 and SSLv3 in the GUC, but removes >> > them forcibly after parsing the complete string (a warning is issued). >> > Should we also add a note about this to the documentation? >> I see no reason to accept them at all, if we're going to reject them >> later anyway. >> >> We can argue (as was done earlier in this thread) if we can drop SSL >> 3.0 completely -- but we can *definitely* drop SSLv2, and we should. >> But anything that we're going to reject at a later stage anyway, we >> should reject early. > > It's not really "early or late", but rather "within the loop or at the > end of it". From the users' perspective, the difference is that they > get (to paraphrase) "SSLv2 is not allowed" instead of "syntax error" and > that they can use constructs such as "ALL:-SSLv2". Ah, I see now - I hadn't looked at the code, just the review comment. It's a "fallout" from the reverse logic in openssl. Then it makes a lot more sense. -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
В списке pgsql-hackers по дате отправления: