On Thu, Aug 30, 2012 at 11:41 PM, Bruce Momjian <br...@momjian.us> wrote:
> On Sun, Jun 17, 2012 at 11:45:54PM +0800, Magnus Hagander wrote: > > On Sun, Jun 17, 2012 at 11:42 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > > > Magnus Hagander <mag...@hagander.net> writes: > > >> Is there a reason why we don't have a parameter on the client > > >> mirroring ssl_ciphers? > > > > > > Dunno, do we need one? I am not sure what the cipher negotiation > process > > > looks like or which side has the freedom to choose. > > > > I haven't looked into the details, but it seems reasonable that > > *either* side should be able to at least define a list of ciphers it > > *doens't* want to talk with. > > > > Do we need it - well, it makes sense for the client to be able to say > > "I won't trust 56-bit encryption" before it sends over the password, > > imo.. > > > > > > >> That, or just have DEFAULT as being the default (which in current > > >> openssl means ALL:!aNULL:!eNULL. > > > > > > If our default isn't the same as the underlying default, I have to > > > question why not. > > > > Yeah, that's exaclty what I'm questioning here.. > > > > > But are you sure this "!" notation will work with > > > all openssl versions? > > > > Uh. We have the ! notation in our default *now*. What openssl also > > supports is the text "DEFAULT", which is currently the equivalent of > > "ALL!aNULL!eNULL". The question, which is valid of course, should be > > if "DEFAULT" works with all openssl versions. > > > > It would seem reasonable it does, but I haven't investigated. > > Do we want to change our ssl_ciphers default to 'DEFAULT'? Currently it > is 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'. > > Did we ever get anywhere with this? Is this a change we want to do for 9.3? Since nobody seems to have come up with a motivation for not following the openssl default, we probably should? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/