Robert Haas <robertmh...@gmail.com> writes: > I am not persuaded by this argument. Suppose we added a server option > like ssl_port which causes us to listen on an additional port and, on > that port, everything, from the first byte on this connection, is > encrypted using SSL.
Right, a separate port number (much akin to http 80 vs https 443) is pretty much the only way this could be managed. That's messy enough that I don't see anyone wanting to do it for purely-hypothetical benefits. If we'd done it that way from the start, it'd be fine; but there's way too much established practice now. > Now that being said, https://www.openldap.org/faq/data/cache/605.html > claims that ldaps (encrpyt from the first byte) is deprecated in favor > of STARTTLS (encrypt by negotiation). It's interesting that Jacob is > proposing to introduce as a new and better option the thing they've > decided they don't like. Indeed, that is interesting. I wonder if we can find the discussions that led to that decision. regards, tom lane
