Skip site navigation (1) Skip section navigation (2)

Re: default SSL compression (was: libpq compression)

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Euler Taveira <euler(at)timbira(dot)com>, Florian Pflug <fgp(at)phlo(dot)org>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: default SSL compression (was: libpq compression)
Date: 2013-01-01 15:29:35
Message-ID: CABUevEyu=KkoaFxc3FFeu02vwK7OUmq+hfRKYC2=ZBS3i7=Tww@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Thu, Aug 30, 2012 at 11:41 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:

> On Sun, Jun 17, 2012 at 11:45:54PM +0800, Magnus Hagander wrote:
> > On Sun, Jun 17, 2012 at 11:42 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > >> Is there a reason why we don't have a parameter on the client
> > >> mirroring ssl_ciphers?
> > >
> > > Dunno, do we need one?  I am not sure what the cipher negotiation
> process
> > > looks like or which side has the freedom to choose.
> >
> > I haven't looked into the details, but it seems reasonable that
> > *either* side should be able to at least define a list of ciphers it
> > *doens't* want to talk with.
> >
> > Do we need it - well, it makes sense for the client to be able to say
> > "I won't trust 56-bit encryption" before it sends over the password,
> > imo..
> >
> >
> > >> That, or just have DEFAULT as being the default (which in current
> > >> openssl means ALL:!aNULL:!eNULL.
> > >
> > > If our default isn't the same as the underlying default, I have to
> > > question why not.
> >
> > Yeah, that's exaclty what I'm questioning here..
> >
> > >  But are you sure this "!" notation will work with
> > > all openssl versions?
> >
> > Uh. We have the ! notation in our default *now*. What openssl also
> > supports is the text "DEFAULT", which is currently the equivalent of
> > "ALL!aNULL!eNULL". The question, which is valid of course, should be
> > if "DEFAULT" works with all openssl versions.
> >
> > It would seem reasonable it does, but I haven't investigated.
>
> Do we want to change our ssl_ciphers default to 'DEFAULT'?  Currently it
> is 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'.
>
>
Did we ever get anywhere with this? Is this a change we want to do for 9.3?
Since nobody seems to have come up with a motivation for not following the
openssl default, we probably should?

-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Responses

pgsql-hackers by date

Next:From: Hannu KrosingDate: 2013-01-01 16:07:22
Subject: Re: pg_retainxlog for inclusion in 9.3?
Previous:From: Magnus HaganderDate: 2013-01-01 15:10:32
Subject: pg_retainxlog for inclusion in 9.3?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group