On Wed, 18 Dec 2002, Bruce Momjian wrote: > Marc G. Fournier wrote: > > > My question is whether it is safe to be making this change in a minor > > > release? Does it work with 7.3 to 7.3.1 combinations? My other > > > question is, if SSLv2 isn't secure, couldn't a client say they only > > > support SSLv2, and hence break into the server? That was my original > > > hesitancy, that and the fact Bear the SSL guy didn't want it. > > > > Wow, which part of "A TLS/SSL connection established with these methods > > will understand the SSLv2, SSLv3, and TLSv1 protocol" are you finiding > > particularly confusing? As nate explained to you, and the man page > > section I commited states, TLSv1_method *only* supports TLS connections > > ... SSLv23_method supports SSLv2, v3 and TLSv1 ... > > > > As for 'break into the server" ... ummm ... isn't that what pg_hba.conf is > > for? I don't know about servers you run, but I don't let just anyone > > connect to my server, and, in fact, close down the databases themsleves to > > specific users ... if you don't trust the client, why are you giving him > > accss to your data, regardless of the protocol being used to encrypt the > > sessino?? > > I wasn't sure how insecure SSL2 was, and whether it allowed you to > authenticate without a password or something.
SSL2 seems to get a lot of votes for being broken in ways that cannot be fixed because they aren't simple buffer overflows. see: http://www.lne.com/ericm/papers/ssl_servers.html#1.2 My suggestion would be to eventually phase out ssl2 in favor of ssl3 or tls. And, as we are phasing it out, make it an opt-in thing, where the dba has to turn on ssl2 KNOWING he is turning on a flawed protocol. ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
