> We clearly need to have a 7.3.2, but I was thinking late January would
> be about the right time frame. Bugs are still trickling in (eg, the
> plpgsql one Neil just identified), and so far we've not seen anything
> that would make me feel we need an immediate release ...
I'm biased, but I think
> At this point, all the SSL2 problems are conjecture on my part, which
> I
> don't understand. I hesitate to do anything until someone really
> knowledgeable can comment. Re-enabling SSL2 as part of 7.3.1 makes
> sense until we can get a definative answer on the risks involved.
I'm not an expert,
> I have made the change and am just building v7.3.1 right now ...
> should be
> available in a few minutes, and I'll announce it this evening as being
> available ... can you grab a copy and make sure that it works as
> expected?
It works fine for me.
--Nate
---(
> Well, we break backward compatibility so people can't use SSL2 to
> connect to the server. Backward compatibility to a broken protocol
> isn't what I would call secure. Is that accurate?
I suppose. As long as the incompatibilty is mentioned in HISTORY I'm
fine.
--Nate
-
> I am confused. How can we switch back to SSLv23_method and still be
> compatible with TLSv1_method. Does SSLv23_method support both?
SSLv23 understands SSLv2, SSLv3 and TLSv1. When used in a client it uses
SSLv2 but tells the server it can understand the other ones too. Check
out the SSL_CTX_new
> I believe that pre7-3 SSL clients will work in 7.3.1, or am I wrong?
In 7.3 the SSL protocol switched from SSLv2 to TLSv1. If the server
method is switched to SSLv23_method it will be backwords compatable with
pre-7.3 clients without sacrificing the added security of TLSv1 for
newer stuff. There
Could you put a note in HISTORY about the incompatability with pre-7.3
SSL clients?
--Nate
---(end of broadcast)---
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PR
