On Thu, Nov 20, 2014 at 10:19 AM, Dag-Erling Smørgrav <d...@des.no> wrote: > Magnus Hagander <mag...@hagander.net> writes: >> Alex Shulgin <a...@commandprompt.com> writes: >> > * The code allows specifying SSLv2 and SSLv3 in the GUC, but removes >> > them forcibly after parsing the complete string (a warning is issued). >> > Should we also add a note about this to the documentation? >> I see no reason to accept them at all, if we're going to reject them >> later anyway. >> >> We can argue (as was done earlier in this thread) if we can drop SSL >> 3.0 completely -- but we can *definitely* drop SSLv2, and we should. >> But anything that we're going to reject at a later stage anyway, we >> should reject early. > > It's not really "early or late", but rather "within the loop or at the > end of it". From the users' perspective, the difference is that they > get (to paraphrase) "SSLv2 is not allowed" instead of "syntax error" and > that they can use constructs such as "ALL:-SSLv2".
Ah, I see now - I hadn't looked at the code, just the review comment. It's a "fallout" from the reverse logic in openssl. Then it makes a lot more sense. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
