Re: [PATCH] add ssl_protocols configuration option

Dag-Erling Smørgrav <des@des.no>

From: Dag-Erling Smørgrav <des@des.no>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Magnus Hagander <magnus@hagander.net>, Alvaro Herrera <alvherre@2ndquadrant.com>, Michael Paquier <michael.paquier@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2014-10-22T13:16:56Z
Lists: pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes:
> And in the end, if we set values like this from PG --- whether
> hard-wired or via a GUC --- the SSL library people will have exactly
> the same perspective with regards to *our* values.  And not without
> reason; we were forcing very obsolete settings up till recently,
> because nobody had looked at the issue for a decade.  I see no reason
> to expect that that history won't repeat itself.

I'm not sure what you're saying here, but - I'm not sure how familiar
you are with the OpenSSL API, but it's insecure by default.  There is
*no other choice* for an application than to explicitly select which
protocols it wants to use (or at least which protocols it wants to
avoid).  And you can't change OpenSSL, because a ton of old crappy
software is going to break.

DES
-- 
Dag-Erling Smørgrav - des@des.no