On Wed, Nov 19, 2014 at 4:34 PM, Alex Shulgin <ash@commandprompt.com> wrote:
>
> Dag-Erling Smørgrav <des@des.no> writes:
>>
>> The attached patches add an ssl_protocols configuration option which
>> control which versions of SSL or TLS the server will use. The syntax is
>> similar to Apache's SSLProtocols directive, except that the list is
>> colon-separated instead of whitespace-separated, although that is easy
>> to change if it proves unpopular.
>
> Hello,
>
> Here is my review of the patch against master branch:
>
> * The code allows specifying SSLv2 and SSLv3 in the GUC, but removes
> them forcibly after parsing the complete string (a warning is issued).
> Should we also add a note about this to the documentation?
I see no reason to accept them at all, if we're going to reject them
later anyway.
We can argue (as was done earlier in this thread) if we can drop SSL
3.0 completely -- but we can *definitely* drop SSLv2, and we should.
But anything that we're going to reject at a later stage anyway, we
should reject early.
-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
