On Wed, Feb 3, 2010 at 10:21 AM, Tom Lane wrote:
Robert Haas <robertmhaas@gmail.com> writes:
Should we think about adding a GUC to disable renegotiation until this
blows over?
Bad idea: once set, it'll never get unset, thus leaving installations
with a weakened security posture even after they've installed fixed
versions of openssl.
That's a problem, but our current posture of holding our breath
doesn't seem to be working either. If we insist on shipping code that
doesn't work with currently-distributed versions of OpenSSL, people
will do things like, say, shut SSL off. Or packagers of PostgreSQL
will apply patches that disable it unconditionally, leaving us with no
control.

...Robert

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

People

Translate

site design / logo © 2022 Grokbase