Re: Recent vendor SSL renegotiation patches break PostgreSQL

Magnus Hagander <magnus@hagander.net>

From: Magnus Hagander <magnus@hagander.net>
To: Chris Campbell <chris_campbell@mac.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Robert Haas <robertmhaas@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2010-02-22T19:34:03Z
Lists: pgsql-hackers
2010/2/22 Chris Campbell <chris_campbell@mac.com>:
> On Feb 22, 2010, at 12:25 PM, Tom Lane wrote:
>
>> I think we already missed the window where it would have been sensible
>> to install a hack workaround for this.  If we'd done that in November
>> it might have been reasonable, but by now it's too late for any hack
>> we install to spread much faster than fixed openssl libraries.
>
> Could we simply ignore renegotiation errors? Or change them to warnings? That may enable us to work with the semi-fixed OpenSSL libraries that are currently in the field, without disabling the functionality altogether.

I guess we could, but if we do that then we've opened a window where
someone can attack us if we *have* a properly working openssl, haven't
we?


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/