Skip site navigation (1) Skip section navigation (2)

Re: default SSL compression (was: libpq compression)

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Noah Misch <noah(at)leadboat(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Euler Taveira <euler(at)timbira(dot)com>, Florian Pflug <fgp(at)phlo(dot)org>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: default SSL compression (was: libpq compression)
Date: 2013-01-02 14:17:14
Message-ID: CABUevEzG5fAM2C4crDRcK=QC0T6kZmq34q0ZdxEmjXW+0uLDuA@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Wed, Jan 2, 2013 at 3:15 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Wed, Jan 02, 2013 at 02:03:20PM +0100, Magnus Hagander wrote:
>> On Wed, Jan 2, 2013 at 1:15 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> > So +1 for changing it to "DEFAULT" from me, too.  There's no reason to
>> > think we know more about this than the OpenSSL authors.
>>
>> The DEFAULT value in OpenSSL 1.0 means "ALL:!aNULL:!eNULL".
>>
>> Researching some more, this might cause a problem actually, which
>> would explain some of the things that are in our default. For example,
>> an ADH algorithm doesn't use certificates - but it uses DH parameters,
>> so it likely won't work anyway. EDH uses certs, but also requires DH
>> parameters.
>>
>> Maybe what we nede is "DEFAULT:!ADH:@STRENGTH" as the default?
>
> I understand aNULL to include ADH.

Hmm. Seems you're right when I run a test on it, I was reading it wrong.


>> The other difference is that our current string denies 40 and 56 bit
>> encryptions (low and export strenghts). Do we stll want to do that?
>
> On the one hand, those seem bad to permit by default in 2013.  On the other
> hand, if so, why hasn't OpenSSL removed them from DEFAULT?  Perhaps it has
> backward-compatibility concerns that wouldn't apply to us by virtue of having
> disabled them for some time.  Sounds reasonable to continue disabling them.

So then the default would be "DEFAULT:!LOW:!EXP:@STRENGTH"

(the @STRENGTH part is the sorting key for preference, which the
default one seems not to have)

The biggest difference being that we start from DEFAULT rather than ALL.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


In response to

Responses

pgsql-hackers by date

Next:From: Andreas HeinischDate: 2013-01-02 14:27:40
Subject: Adding rewrite rule to QueryRewrite
Previous:From: Noah MischDate: 2013-01-02 14:15:03
Subject: Re: default SSL compression (was: libpq compression)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group