On 06/25/2015 03:03 PM, Andres Freund wrote:
The situation is this: We have broken code using broken code. I think we
either got to apply, darn nontrivial, fixes from
http://archives.postgresql.org/message-id/54DE6FAF.6050005%40vmware.com
or we got to cripple the options.
It's also not the first breakage, we've applied a lot of bandaids to
this code already. Our way of doing renegotiation also has broken
several SSL client implementations...
Note that even with those patches, renegotiation is still broken in some
scenarios:
http://www.postgresql.org/message-id/54dcf736.2060...@vmware.com. As far
as I can tell, OpenSSL's handling of renegotiation is fundamentally
broken, and there is nothing we can do in the application to completely
work around that.
+1 for changing the default to disable renegotiation, in all branches.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
