From: | Christoph Berg <myon(at)debian(dot)org> |
---|---|
To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
Cc: | Nicolas Guini <nicolasguini(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org, Damian Quiroga <qdamian(at)gmail(dot)com> |
Subject: | Re: PostgreSQL - Weak DH group |
Date: | 2016-10-06 19:26:42 |
Message-ID: | 20161006192642.zgxukwjj2kvyh4hr@msg.df7cb.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Re: Heikki Linnakangas 2016-10-06 <fd6eb3cc-1585-1469-fd9e-763f8e410b19(at)iki(dot)fi>
> I propose the attached patch. It gives up on trying to deal with multiple
> key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so
> that was useless). Instead of using the callback, it just sets fixed DH
> parameters with SSL_CTX_set_tmp_dh(), like we do for the ECDH curve. The DH
> parameters are loaded from a file called "dh_params.pem" (instead of
> "dh1024.pem"), if present, otherwise the built-in 2048 bit parameters are
> used.
Shouldn't this be a GUC pointing to a configurable location like
ssl_cert_file? This way, people reading the security section of the
default postgresql.conf would notice that there's something (new) to
configure. (And I wouldn't want to start creating symlinks from PGDATA
to /etc/ssl/something again...)
Thanks,
Christoph
From | Date | Subject | |
---|---|---|---|
Next Message | Jeff Janes | 2016-10-06 19:56:22 | Re: VACUUM's ancillary tasks |
Previous Message | Robert Haas | 2016-10-06 18:55:55 | Re: Switch to unnamed POSIX semaphores as our preferred sema code? |