On Fri, 2013-11-15 at 01:11 +0200, Marko Kreen wrote:
> Attached patch changes the default ciphersuite to
>     HIGH:!aNULL
> instead of old
> where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".

> Main goal is to leave low-level ciphersuite details to OpenSSL guys
> and give clear impression to Postgres admins what it is about.

If we want to leave the details of the ciphers to OpenSSL, I think we
shouldn't be second-guessing their judgement of what a reasonable
default is.

I checked Apache mod_ssl and Postfix, and even though they are
configuring this slightly differently, I think their defaults end up
being about the same as what PostgreSQL currently has.


>   Contains only secure and well-researched algorithms.
> !aNULL
>   Needed to disable suites that do not authenticate server.
>   DEFAULT includes !aNULL by default.

Wouldn't HIGH exclude aNULL also?  (If not, what about eNULL?)

> !MD5
>   This affects only one suite: DES-CBC3-MD5, which is available only
>   for SSL2 connections.  So it would only pollute the default value.

I think this is only there for political correctness.

>   The OpenSSL cipher list is already sorted by humans,
>   it's unlikely that mechanical sort would improve things.
>   Also the existence of this value in old list is rather
>   dubious, as server cipher order was never respected anyway.

Aren't you proposing to change that?

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to