Re: Recent vendor SSL renegotiation patches break PostgreSQL
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
Cc: Bruce Momjian <bruce@momjian.us>, Chris Campbell <chris_campbell@mac.com>, Robert Haas <robertmhaas@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2010-02-22T16:54:31Z
Lists: pgsql-hackers
Magnus Hagander <magnus@hagander.net> writes: > If so, shouldn't we try to disable renegotiation for all versions > *before* it was properly fixed? If we could tell that, sure. But I don't believe there is any way to identify whether a given installation of openssl has this patched. Please don't suggest looking at the version number --- Red Hat and other vendors are in the habit of back-patching security fixes without changing the version number. > Which today means all versions released. The proper fix is in 0.9.8m, > which is currently in beta. At least that's my understanding. Red Hat's already shipping the patch. Dunno about other vendors. The real bottom line here is that this isn't our bug. It's unfortunate that we're affected by it, but that doesn't mean that we should be installing kluges to work around it. regards, tom lane