Home > mailing lists

Re: Recent vendor SSL renegotiation patches break PostgreSQL - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: Recent vendor SSL renegotiation patches break PostgreSQL
Date	February 3, 2010 14:32:47
Msg-id	603c8f071002030728y1d1bb029s86625336e53d02a9@mail.gmail.com Whole thread Raw
In response to	Re: Recent vendor SSL renegotiation patches break PostgreSQL (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: Recent vendor SSL renegotiation patches break PostgreSQL
List	pgsql-hackers

Tree view

On Wed, Feb 3, 2010 at 10:21 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> Should we think about adding a GUC to disable renegotiation until this
>> blows over?
>
> Bad idea: once set, it'll never get unset, thus leaving installations
> with a weakened security posture even after they've installed fixed
> versions of openssl.

That's a problem, but our current posture of holding our breath
doesn't seem to be working either.  If we insist on shipping code that
doesn't work with currently-distributed versions of OpenSSL, people
will do things like, say, shut SSL off.  Or packagers of PostgreSQL
will apply patches that disable it unconditionally, leaving us with no
control.

...Robert

pgsql-hackers by date:

From: Tom Lane
Date: 03 February 2010, 14:29:16
Subject: Re: Recent vendor SSL renegotiation patches break PostgreSQL

From: Tom Lane
Date: 03 February 2010, 14:39:48
Subject: Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]

Re: Recent vendor SSL renegotiation patches break PostgreSQL - Mailing list pgsql-hackers

Previous

Next