Marc G. Fournier wrote: > > In short, I wouldn't call SSLv2 insecure, just less secure then v3. I > > think it's perfectly reasonable to phase it out, just not right now. > > It'd be nice to have some sort of transition version so you wouldn't > > have to switch over all your different client programs at the same time > > you switch all the servers. My preference would be for backwords > > compatibility in 7.3 and then eliminate it or provide a compile time > > option in 7.4. If the client stays with TLSv1 newer clients will only > > use the more secure protocols and older clients will still have the same > > problems they did before. I don't think that's too much of a problem. > > Actually, would be nice if someone submit'd a patch that make choosing > which method a configure option :) > > If nobody else does it, I'll try after I get back from my folks after the > holidays ...
Well, I had time to research it and looked at that URL on SSL2 vunerabilities. Seems all the problems are with man in the middle cases, and with doconnections not being properly authenticated. They are not of the variety where you could just attach to the port and somehow bypass a password prompt or anything like that. If users always use TSL-capable clients, there shouldn't be any issue. I was kind of surprised that folks couldn't get the existing TLS code working because I had it working here, and I don't have the newest setup. I though that TSL support was merely having a more recent version of OpenSSL --- at least that's how I understood it from the SSL author Bear. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
