On Fri, Nov 15, 2013 at 02:16:52PM -0800, Adrian Klaver wrote:
> On 11/15/2013 11:49 AM, Marko Kreen wrote:
> >On Fri, Nov 15, 2013 at 11:16:25AM -0800, Adrian Klaver wrote:
> >>The description of the GUCs show up in the documentation but I am
> >>not seeing the GUCs themselves in postgresql.conf, so I could test
> >>no further. It is entirely possible I am missing a step and would
> >>appreciate enlightenment.
> >
> >Sorry, I forgot to update sample config.
> >
> >ssl-prefer-server-cipher-order-v2.patch
> >- Add GUC to sample config
> >- Change default value to 'true', per comments from Alvaro and Magnus.
> >
> >ssl-ecdh-v2.patch
> >- Add GUC to sample config
> >
> Well that worked.
> I made ssl connections to the server using psql and verified it
> respected the order of ssl_ciphers. I do not have a client available
> with a different view of cipher order so I cannot test that.

Well, these are GUC patches so the thing to test is whether the GUCs work.

  Use non-standard cipher order in server, eg: RC4-SHA:DHE-RSA-AES128-SHA,
  see if on/off works.  You can see OpenSSL default order with
  "openssl ciphers -v".

  It should start using ECDHE-RSA immediately.  Also see if adding
  !ECDH to ciphers will fall back to DHE.  It's kind of hard to test
  the ssl_ecdh_curve as you can't see it anywhere.  I tested it by
  measuring if bigger curve slowed connecting down...

  Bonus - test EC keys:
    $ openssl ecparam -name prime256v1 -out ecparam.pem
    $ openssl req -x509 -newkey ec:ecparam.pem -days 9000 -nodes \
      -subj '/C=US/ST=Somewhere/L=Test/CN=localhost' \
      -keyout server.key -out server.crt

  SSL should stay working, openssl ciphers -v 'value' should not contain
  any weak suites (RC4, SEED, DES-CBC, EXP, NULL) and no non-authenticated
  suites (ADH/AECDH).


Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to