Re: [PATCH] add ssl_protocols configuration option - Mailing list pgsql-hackers

From Martijn van Oosterhout
Subject Re: [PATCH] add ssl_protocols configuration option
Date
Msg-id 20141023063036.GA19809@svana.org
Whole thread Raw
In response to Re: [PATCH] add ssl_protocols configuration option  (Dag-Erling Smørgrav <des@des.no>)
Responses Re: [PATCH] add ssl_protocols configuration option
List pgsql-hackers
On Wed, Oct 22, 2014 at 09:36:59PM +0200, Dag-Erling Smørgrav wrote:
> Martijn van Oosterhout <kleptog@svana.org> writes:
> > Dag-Erling Smørgrav <des@des.no> writes:
> > > If I understand correctly, imaps has been shown to be vulnerable as
> > > well, so I wouldn't be so sure.
> > Reference?
>
> Sorry, no reference.  I was told that Thunderbird was vulnerable to
> POODLE when talking imaps.

Ugh, found it. It does the same connection fallback stuff as firefox.

https://securityblog.redhat.com/2014/10/20/can-ssl-3-0-be-fixed-an-analysis-of-the-poodle-attack/

> > Since you can already specify the cipher list, couldn't you just add
> > -SSLv3 to the cipher list and be done?
>
> I didn't want to change the existing behavior; all I wanted was to give
> users a way to do so if they wish.

I think we should just disable SSL3.0 altogether. The only way this
could cause problems is if people are using PostgreSQL with an OpenSSL
library from last century.  As for client libraries, even Windows XP
supports TLS1.0.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.  -- Arthur Schopenhauer

pgsql-hackers by date:

Previous
From: Fujii Masao
Date:
Subject: Re: BUG: *FF WALs under 9.2 (WAS: .ready files appearing on slaves)
Next
From: Andreas Karlsson
Date:
Subject: Re: Reducing lock strength of adding foreign keys