| From: | Marko Kreen <markokr(at)gmail(dot)com> |
|---|---|
| To: | Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | SSL: better default ciphersuite |
| Date: | 2013-11-14 23:11:05 |
| Message-ID: | 20131114231105.GA23669@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Attached patch changes the default ciphersuite to
HIGH:!aNULL
instead of old
DEFAULT:!LOW:!EXP:!MD5:@STRENGTH
where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".
Main goal is to leave low-level ciphersuite details to OpenSSL guys
and give clear impression to Postgres admins what it is about.
Compared to old value, new value will remove all suites with RC4 and SEED
from ciphersuite list. If OpenSSL is compiled with support for SSL2,
it will include following suite: DES-CBC3-MD5, usable only for SSL2
connections.
Tested with OpenSSL 0.9.7 - 1.0.1, using "openssl ciphers -v ..." command.
Values used
-----------
HIGH:
Contains only secure and well-researched algorithms.
!aNULL
Needed to disable suites that do not authenticate server.
DEFAULT includes !aNULL by default.
Values not used
---------------
!MD5
This affects only one suite: DES-CBC3-MD5, which is available only
for SSL2 connections. So it would only pollute the default value.
@STRENGTH
The OpenSSL cipher list is already sorted by humans,
it's unlikely that mechanical sort would improve things.
Also the existence of this value in old list is rather
dubious, as server cipher order was never respected anyway.
--
marko
| Attachment | Content-Type | Size |
|---|---|---|
| ssl.default.patch | text/x-diff | 1015 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2013-11-14 23:16:00 | Re: Anybody using get_eclass_for_sort_expr in an extension? |
| Previous Message | Tom Lane | 2013-11-14 23:08:20 | Anybody using get_eclass_for_sort_expr in an extension? |