Marko Kreen writes:
> On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
>> Alternatively, given that TLS has been around for a dozen years and
>> openssl versions that old have not gotten security updates for a long
>> time, why don't we just reject SSLv3 on the backend side too?
> Attach
On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
> Alternatively, given that TLS has been around for a dozen years and
> openssl versions that old have not gotten security updates for a long
> time, why don't we just reject SSLv3 on the backend side too?
> I guess it's barely possible that
On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
> Stephen Frost escribió:
>> * Noah Misch (n...@leadboat.com) wrote:
>>> +1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
>>> the iron age.
>>
>> Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
>> isn't
Stephen Frost escribió:
> * Noah Misch (n...@leadboat.com) wrote:
> > +1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
> > the iron age.
>
> Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
> isn't likely to be upgrading to 9.4 of libpq or PG.
What
* Noah Misch (n...@leadboat.com) wrote:
> +1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
> the iron age.
Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
isn't likely to be upgrading to 9.4 of libpq or PG.
Thanks,
Stephen
On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
> Noah Misch writes:
> > On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
> >> why wasn't the backend also made to reject SSL v3?
>
> > The backend allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Before the patch,
> > libpq
> > allowe
Noah Misch writes:
> On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
>> why wasn't the backend also made to reject SSL v3?
> The backend allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Before the patch, libpq
> allowed TLSv1 only. Since the patch, libpq allows TLSv1, TLSv1.1 and TLSv1.2.
>
On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
> Noah Misch writes:
> > libpq: Support TLS versions beyond TLSv1.
>
> > Per report from Jeffrey Walton, libpq has been accepting only TLSv1
> > exactly. Along the lines of the backend code, libpq will now support
> > new versions as Open
Noah Misch writes:
> libpq: Support TLS versions beyond TLSv1.
> Per report from Jeffrey Walton, libpq has been accepting only TLSv1
> exactly. Along the lines of the backend code, libpq will now support
> new versions as OpenSSL adds them.
This patch seems fishy. The commit comment claims tha