On Fri, 2013-11-15 at 01:11 +0200, Marko Kreen wrote: > Attached patch changes the default ciphersuite to > > HIGH:!aNULL > > instead of old > > DEFAULT:!LOW:!EXP:!MD5:@STRENGTH > > where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".
> Main goal is to leave low-level ciphersuite details to OpenSSL guys > and give clear impression to Postgres admins what it is about. If we want to leave the details of the ciphers to OpenSSL, I think we shouldn't be second-guessing their judgement of what a reasonable default is. I checked Apache mod_ssl and Postfix, and even though they are configuring this slightly differently, I think their defaults end up being about the same as what PostgreSQL currently has. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers > HIGH: > Contains only secure and well-researched algorithms. > > !aNULL > Needed to disable suites that do not authenticate server. > DEFAULT includes !aNULL by default. Wouldn't HIGH exclude aNULL also? (If not, what about eNULL?) > !MD5 > This affects only one suite: DES-CBC3-MD5, which is available only > for SSL2 connections. So it would only pollute the default value. I think this is only there for political correctness. > @STRENGTH > The OpenSSL cipher list is already sorted by humans, > it's unlikely that mechanical sort would improve things. > Also the existence of this value in old list is rather > dubious, as server cipher order was never respected anyway. Aren't you proposing to change that? -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers