Tom Lane <t...@sss.pgh.pa.us> writes: > And in the end, if we set values like this from PG --- whether > hard-wired or via a GUC --- the SSL library people will have exactly > the same perspective with regards to *our* values. And not without > reason; we were forcing very obsolete settings up till recently, > because nobody had looked at the issue for a decade. I see no reason > to expect that that history won't repeat itself.
I'm not sure what you're saying here, but - I'm not sure how familiar you are with the OpenSSL API, but it's insecure by default. There is *no other choice* for an application than to explicitly select which protocols it wants to use (or at least which protocols it wants to avoid). And you can't change OpenSSL, because a ton of old crappy software is going to break. DES -- Dag-Erling Smørgrav - d...@des.no -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers