Skip site navigation (1) Skip section navigation (2)

Re: default SSL compression (was: libpq compression)

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Noah Misch <noah(at)leadboat(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Euler Taveira <euler(at)timbira(dot)com>, Florian Pflug <fgp(at)phlo(dot)org>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: default SSL compression (was: libpq compression)
Date: 2013-01-02 14:17:14
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
On Wed, Jan 2, 2013 at 3:15 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Wed, Jan 02, 2013 at 02:03:20PM +0100, Magnus Hagander wrote:
>> On Wed, Jan 2, 2013 at 1:15 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> > So +1 for changing it to "DEFAULT" from me, too.  There's no reason to
>> > think we know more about this than the OpenSSL authors.
>> The DEFAULT value in OpenSSL 1.0 means "ALL:!aNULL:!eNULL".
>> Researching some more, this might cause a problem actually, which
>> would explain some of the things that are in our default. For example,
>> an ADH algorithm doesn't use certificates - but it uses DH parameters,
>> so it likely won't work anyway. EDH uses certs, but also requires DH
>> parameters.
>> Maybe what we nede is "DEFAULT:!ADH:@STRENGTH" as the default?
> I understand aNULL to include ADH.

Hmm. Seems you're right when I run a test on it, I was reading it wrong.

>> The other difference is that our current string denies 40 and 56 bit
>> encryptions (low and export strenghts). Do we stll want to do that?
> On the one hand, those seem bad to permit by default in 2013.  On the other
> hand, if so, why hasn't OpenSSL removed them from DEFAULT?  Perhaps it has
> backward-compatibility concerns that wouldn't apply to us by virtue of having
> disabled them for some time.  Sounds reasonable to continue disabling them.

So then the default would be "DEFAULT:!LOW:!EXP:@STRENGTH"

(the @STRENGTH part is the sorting key for preference, which the
default one seems not to have)

The biggest difference being that we start from DEFAULT rather than ALL.

 Magnus Hagander

In response to


pgsql-hackers by date

Next:From: Andreas HeinischDate: 2013-01-02 14:27:40
Subject: Adding rewrite rule to QueryRewrite
Previous:From: Noah MischDate: 2013-01-02 14:15:03
Subject: Re: default SSL compression (was: libpq compression)

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group