Marc G. Fournier wrote: > On Tue, 17 Dec 2002, Nathan Mueller wrote: > > > > Well, we break backward compatibility so people can't use SSL2 to > > > connect to the server. Backward compatibility to a broken protocol > > > isn't what I would call secure. Is that accurate? > > > > I suppose. As long as the incompatibilty is mentioned in HISTORY I'm > > fine. > > I read the SSL_CTX_new man page, and they recommend using SSLv23_method to > provide backwards compatibility ... if someone doesn't wan tto use SSL2, > they have the option to use TLS, but we shouldn't be forcigin them to use > one or the othe r... > > I have made the change and am just building v7.3.1 right now ... should be > available in a few minutes, and I'll announce it this evening as being > available ... can you grab a copy and make sure that it works as expected?
OK, I see from your commit message: From the SSL_CTX_new man page: "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) A TLS/SSL connection established with these methods will understand the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages and will indicate that it also understands SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best choice when compatibility is a concern." This will maintain backwards compatibility for those us that don't use TLS connections ... My question is whether it is safe to be making this change in a minor release? Does it work with 7.3 to 7.3.1 combinations? My other question is, if SSLv2 isn't secure, couldn't a client say they only support SSLv2, and hence break into the server? That was my original hesitancy, that and the fact Bear the SSL guy didn't want it. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
