| From: | Dag-Erling Smørgrav <des(at)des(dot)no> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Alex Shulgin <ash(at)commandprompt(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-11-20 09:19:19 |
| Message-ID: | 86d28idyaw.fsf@nine.des.no |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Alex Shulgin <ash(at)commandprompt(dot)com> writes:
> > * The code allows specifying SSLv2 and SSLv3 in the GUC, but removes
> > them forcibly after parsing the complete string (a warning is issued).
> > Should we also add a note about this to the documentation?
> I see no reason to accept them at all, if we're going to reject them
> later anyway.
>
> We can argue (as was done earlier in this thread) if we can drop SSL
> 3.0 completely -- but we can *definitely* drop SSLv2, and we should.
> But anything that we're going to reject at a later stage anyway, we
> should reject early.
It's not really "early or late", but rather "within the loop or at the
end of it". From the users' perspective, the difference is that they
get (to paraphrase) "SSLv2 is not allowed" instead of "syntax error" and
that they can use constructs such as "ALL:-SSLv2".
DES
--
Dag-Erling Smørgrav - des(at)des(dot)no
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2014-11-20 09:21:55 | Re: group locking: incomplete patch, just for discussion |
| Previous Message | Magnus Hagander | 2014-11-20 08:49:24 | Re: [PATCH] add ssl_protocols configuration option |