I am confused. How can we switch back to SSLv23_method and still be compatible with TLSv1_method. Does SSLv23_method support both?
The SSL author didn't like SSLv23_method (especially SSLv2) and I am not confident to question his decision. We will just have to break backward compatibility with pre-7.3 clients. No one else has mentioned it as a problem, and in fact most have probably already upgraded to 7.3, so we should be OK. --------------------------------------------------------------------------- Nathan Mueller wrote: > > I believe that pre7-3 SSL clients will work in 7.3.1, or am I wrong? > > In 7.3 the SSL protocol switched from SSLv2 to TLSv1. If the server > method is switched to SSLv23_method it will be backwords compatable with > pre-7.3 clients without sacrificing the added security of TLSv1 for > newer stuff. There's been a lot of other changes to the SSL code between > 7.2 and 7.3, but I've tested this out and haven't found any problems. > I've included a patch to src/backend/libpq/be-secure.c if you're > interested. > > --Nate > > --- be-secure.c 13 Dec 2002 18:06:44 -0000 1.3 > +++ be-secure.c 18 Dec 2002 04:16:19 -0000 > @@ -587,7 +587,7 @@ > { > SSL_library_init(); > SSL_load_error_strings(); > - SSL_context = SSL_CTX_new(TLSv1_method()); > + SSL_context = SSL_CTX_new(SSLv23_method()); > if (!SSL_context) > { > postmaster_error("failed to create SSL > context: %s", > -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly