Dag-Erling Smørgrav wrote: > Martijn van Oosterhout <klep...@svana.org> writes: > > Dag-Erling Smørgrav <d...@des.no> writes: > > > Martijn van Oosterhout <klep...@svana.org> writes: > > > > Since you can already specify the cipher list, couldn't you just > > > > add -SSLv3 to the cipher list and be done? > > > I didn't want to change the existing behavior; all I wanted was to > > > give users a way to do so if they wish. > > I think we should just disable SSL3.0 altogether. The only way this > > could cause problems is if people are using PostgreSQL with an OpenSSL > > library from last century. As for client libraries, even Windows XP > > supports TLS1.0. > > As far as I'm concerned (i.e. as far as FreeBSD and the University of > Oslo are concerned), I couldn't care less about anything older than > 0.9.8, which is what FreeBSD 8 and RHEL5 have, but I don't feel > comfortable making that decision for other people. On the gripping > hand, no currently supported version of libpq uses anything older than > TLS; 9.0 through 9.3 use TLS 1.0 only while 9.4 uses TLS 1.0 or higher.
OpenSSL just announced a week or two ago that they're abandoning support for 0.9.8 by the end of next year[1], which means its replacements have been around for a really long time. I think it's fine to drop 0.9.7 support --- we already dropped support for 0.9.6 with the renegotiation rework[2] in the 9.4 timeframe. OpenSSL 0.9.7 has already not gotten fixes for all the latest flurry of security issues, so anyone *is* using SSL but not at least the 0.9.8 branch, they are in trouble. [1] http://openssl.6102.n7.nabble.com/OpenSSL-0-9-8-End-Of-Life-Announcement-td54155.html [2] http://www.postgresql.org/message-id/20130712203252.gh29...@eldon.alvh.no-ip.org -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
