Attached patch changes the default ciphersuite to


instead of old


where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".

Main goal is to leave low-level ciphersuite details to OpenSSL guys
and give clear impression to Postgres admins what it is about.

Compared to old value, new value will remove all suites with RC4 and SEED
from ciphersuite list.  If OpenSSL is compiled with support for SSL2,
it will include following suite: DES-CBC3-MD5, usable only for SSL2

Tested with OpenSSL 0.9.7 - 1.0.1, using "openssl ciphers -v ..." command.

Values used

  Contains only secure and well-researched algorithms.

  Needed to disable suites that do not authenticate server.
  DEFAULT includes !aNULL by default.

Values not used

  This affects only one suite: DES-CBC3-MD5, which is available only
  for SSL2 connections.  So it would only pollute the default value.

  The OpenSSL cipher list is already sorted by humans,
  it's unlikely that mechanical sort would improve things.
  Also the existence of this value in old list is rather
  dubious, as server cipher order was never respected anyway.


diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index ffc69c7..d4e6c52 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -3144,7 +3144,7 @@ static struct config_string ConfigureNamesString[] =
 #ifdef USE_SSL
+		"HIGH:!aNULL",
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 34a2d05..e6b7f9a 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -79,7 +79,7 @@
 #authentication_timeout = 1min		# 1s-600s
 #ssl = off				# (change requires restart)
-#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers
+#ssl_ciphers = 'HIGH:!aNULL'		# allowed SSL ciphers
 					# (change requires restart)
 #ssl_renegotiation_limit = 512MB	# amount of data between renegotiations
 #ssl_cert_file = 'server.crt'		# (change requires restart)
Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to