[pgpool-hackers: 59] Re: extend ssl support from tlsv1 to sslv2/sslv3/tlsv3
Tatsuo Ishii
ishii at postgresql.org
Fri Apr 6 06:31:42 JST 2012
> Hi,
> I would propose to extend the supported ssl connection types, because some drivers (eg jdbc) use by default the client hello message for handshake.
>
>
> --- a/pool_ssl.c
> +++ b/pool_ssl.c
> @@ -186,7 +186,7 @@ static int init_ssl_ctx(POOL_CONNECTION *cp, enum ssl_conn_type conntype) {
> char *cacert = NULL, *cacert_dir = NULL;
>
> /* initialize SSL members */
> - cp->ssl_ctx = SSL_CTX_new(TLSv1_method());
> + cp->ssl_ctx = SSL_CTX_new(SSLv23_method());
> SSL_RETURN_ERROR_IF( (! cp->ssl_ctx), "SSL_CTX_new" );
>
> if ( conntype == ssl_conn_serverclient) {
>
> Or is there a reason to use only TLSv1 method?
I asked about this in pgsql-hackers list and the answer was TLSv1 is
more secure.
http://archives.postgresql.org/pgsql-hackers/2012-04/msg00283.php
So it seems we should stay with TLS.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp
More information about the pgpool-hackers
mailing list