| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Replacing the EDH SKIP primes |
| Date: | 2019-07-02 07:14:25 |
| Message-ID: | 901e9fb2-3494-0365-4054-59c488d0a208@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2019-06-18 13:05, Daniel Gustafsson wrote:
> This was touched upon, but never really discussed AFAICT, back when then EDH
> parameters were reworked a few years ago. Instead of replacing with custom
> ones, as suggested in [1] it we might as well replace with standardized ones as
> this is a fallback. Custom ones wont make it more secure, just add more work
> for the project. The attached patch replace the SKIP prime with the 2048 bit
> MODP group from RFC 3526, which is the same change that OpenSSL did a few years
> back [2].
It appears that we have consensus to go ahead with this.
<paranoia>
I was wondering whether the provided binary blob contained any checksums
or other internal checks. How would we know whether it contains
transposed characters or replaces a 1 by a I or a l? If I just randomly
edit the blob, the ssl tests still pass. (The relevant load_dh_buffer()
call does get called by the tests.) How can we make sure we actually
got a good copy?
</paranoia>
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2019-07-02 07:19:22 | Re: Add parallelism and glibc dependent only options to reindexdb |
| Previous Message | Ashwin Agrawal | 2019-07-02 07:07:42 | Re: C testing for Postgres |