On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
Alternatively, given that TLS has been around for a dozen years and
openssl versions that old have not gotten security updates for a long
time, why don't we just reject SSLv3 on the backend side too?
I guess it's barely possible that
Marko Kreen mark...@gmail.com writes:
On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
Alternatively, given that TLS has been around for a dozen years and
openssl versions that old have not gotten security updates for a long
time, why don't we just reject SSLv3 on the backend side
On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
Stephen Frost escribió:
* Noah Misch (n...@leadboat.com) wrote:
+1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
the iron age.
Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
isn't likely to be
Noah Misch n...@leadboat.com writes:
libpq: Support TLS versions beyond TLSv1.
Per report from Jeffrey Walton, libpq has been accepting only TLSv1
exactly. Along the lines of the backend code, libpq will now support
new versions as OpenSSL adds them.
This patch seems fishy. The commit
On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
Noah Misch n...@leadboat.com writes:
libpq: Support TLS versions beyond TLSv1.
Per report from Jeffrey Walton, libpq has been accepting only TLSv1
exactly. Along the lines of the backend code, libpq will now support
new versions
Noah Misch n...@leadboat.com writes:
On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
why wasn't the backend also made to reject SSL v3?
The backend allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Before the patch, libpq
allowed TLSv1 only. Since the patch, libpq allows TLSv1, TLSv1.1
On Sat, Jan 25, 2014 at 12:25:30PM -0500, Tom Lane wrote:
Noah Misch n...@leadboat.com writes:
On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
why wasn't the backend also made to reject SSL v3?
The backend allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Before the patch,
libpq
* Noah Misch (n...@leadboat.com) wrote:
+1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
the iron age.
Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
isn't likely to be upgrading to 9.4 of libpq or PG.
Thanks,
Stephen
Stephen Frost escribió:
* Noah Misch (n...@leadboat.com) wrote:
+1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
the iron age.
Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
isn't likely to be upgrading to 9.4 of libpq or PG.
What about