From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | Marko Kreen <markokr(at)gmail(dot)com> |
Cc: | Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL: better default ciphersuite |
Date: | 2013-11-29 14:18:49 |
Message-ID: | 1385734729.27340.13.camel@vanquo.pezone.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, 2013-11-15 at 01:11 +0200, Marko Kreen wrote:
> Attached patch changes the default ciphersuite to
>
> HIGH:!aNULL
>
> instead of old
>
> DEFAULT:!LOW:!EXP:!MD5:@STRENGTH
>
> where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".
> Main goal is to leave low-level ciphersuite details to OpenSSL guys
> and give clear impression to Postgres admins what it is about.
If we want to leave the details of the ciphers to OpenSSL, I think we
shouldn't be second-guessing their judgement of what a reasonable
default is.
I checked Apache mod_ssl and Postfix, and even though they are
configuring this slightly differently, I think their defaults end up
being about the same as what PostgreSQL currently has.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers
> HIGH:
> Contains only secure and well-researched algorithms.
>
> !aNULL
> Needed to disable suites that do not authenticate server.
> DEFAULT includes !aNULL by default.
Wouldn't HIGH exclude aNULL also? (If not, what about eNULL?)
> !MD5
> This affects only one suite: DES-CBC3-MD5, which is available only
> for SSL2 connections. So it would only pollute the default value.
I think this is only there for political correctness.
> @STRENGTH
> The OpenSSL cipher list is already sorted by humans,
> it's unlikely that mechanical sort would improve things.
> Also the existence of this value in old list is rather
> dubious, as server cipher order was never respected anyway.
Aren't you proposing to change that?
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2013-11-29 14:25:02 | Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order |
Previous Message | Antonin Houska | 2013-11-29 13:56:54 | Re: Todo item: Support amgettuple() in GIN |