Re: [PATCH] add ssl_protocols configuration option

On Thu, Nov 20, 2014 at 10:19 AM, Dag-Erling Smørgrav <des(at)des(dot)no> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Alex Shulgin <ash(at)commandprompt(dot)com> writes:
>> > * The code allows specifying SSLv2 and SSLv3 in the GUC, but removes
>> > them forcibly after parsing the complete string (a warning is issued).
>> > Should we also add a note about this to the documentation?
>> I see no reason to accept them at all, if we're going to reject them
>> later anyway.
>>
>> We can argue (as was done earlier in this thread) if we can drop SSL
>> 3.0 completely -- but we can *definitely* drop SSLv2, and we should.
>> But anything that we're going to reject at a later stage anyway, we
>> should reject early.
>
> It's not really "early or late", but rather "within the loop or at the
> end of it". From the users' perspective, the difference is that they
> get (to paraphrase) "SSLv2 is not allowed" instead of "syntax error" and
> that they can use constructs such as "ALL:-SSLv2".

Ah, I see now - I hadn't looked at the code, just the review comment.
It's a "fallout" from the reverse logic in openssl. Then it makes a
lot more sense.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/