From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Noah Misch <noah(at)leadboat(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Euler Taveira <euler(at)timbira(dot)com>, Florian Pflug <fgp(at)phlo(dot)org>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: default SSL compression (was: libpq compression) |
Date: | 2013-01-02 14:17:14 |
Message-ID: | CABUevEzG5fAM2C4crDRcK=QC0T6kZmq34q0ZdxEmjXW+0uLDuA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Jan 2, 2013 at 3:15 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Wed, Jan 02, 2013 at 02:03:20PM +0100, Magnus Hagander wrote:
>> On Wed, Jan 2, 2013 at 1:15 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> > So +1 for changing it to "DEFAULT" from me, too. There's no reason to
>> > think we know more about this than the OpenSSL authors.
>>
>> The DEFAULT value in OpenSSL 1.0 means "ALL:!aNULL:!eNULL".
>>
>> Researching some more, this might cause a problem actually, which
>> would explain some of the things that are in our default. For example,
>> an ADH algorithm doesn't use certificates - but it uses DH parameters,
>> so it likely won't work anyway. EDH uses certs, but also requires DH
>> parameters.
>>
>> Maybe what we nede is "DEFAULT:!ADH:@STRENGTH" as the default?
>
> I understand aNULL to include ADH.
Hmm. Seems you're right when I run a test on it, I was reading it wrong.
>> The other difference is that our current string denies 40 and 56 bit
>> encryptions (low and export strenghts). Do we stll want to do that?
>
> On the one hand, those seem bad to permit by default in 2013. On the other
> hand, if so, why hasn't OpenSSL removed them from DEFAULT? Perhaps it has
> backward-compatibility concerns that wouldn't apply to us by virtue of having
> disabled them for some time. Sounds reasonable to continue disabling them.
So then the default would be "DEFAULT:!LOW:!EXP:@STRENGTH"
(the @STRENGTH part is the sorting key for preference, which the
default one seems not to have)
The biggest difference being that we start from DEFAULT rather than ALL.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Andreas Heinisch | 2013-01-02 14:27:40 | Adding rewrite rule to QueryRewrite |
Previous Message | Noah Misch | 2013-01-02 14:15:03 | Re: default SSL compression (was: libpq compression) |