Robert Haas <robertmhaas@gmail.com> writes:
> On Fri, Jun 26, 2015 at 9:59 AM, Andres Freund <andres@anarazel.de> wrote:
>> Generally I'd agree that that is a bad thing. But there's really not
>> much of a observable behaviour change in this case? Except that
>> connections using ssl break less often.
> Well, SSL renegotiation exists for a reason: to improve security.
That was the theory, yes, but the CVEs that have come out of it indicate
that whether it improves security *in practice* is a pretty debatable
topic. The fact that the new TLS draft drops it altogether tells us
something about the conclusion the standards community has arrived at.
regards, tom lane
