scott.marlowe wrote: > > I wasn't sure how insecure SSL2 was, and whether it allowed you to > > authenticate without a password or something. > > SSL2 seems to get a lot of votes for being broken in ways that cannot be > fixed because they aren't simple buffer overflows. see: > > http://www.lne.com/ericm/papers/ssl_servers.html#1.2 > > My suggestion would be to eventually phase out ssl2 in favor of ssl3 or > tls. And, as we are phasing it out, make it an opt-in thing, where the > dba has to turn on ssl2 KNOWING he is turning on a flawed protocol.
That was sort of my point --- if we allow SSLv2 in the server, are we open to any security problems? Maybe not. I just don't know. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]