On 12/17/2013 08:26 AM, Bruce Momjian wrote:
On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cl...@jhcloos.com> wrote:
For reference, see:


for the currently suggested suite for TLS servers.
But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
for some.  And RC4, perhaps, also should be !ed.

And if anyone wants Kerberos tls-authentication, one could add
KRB5-DES-CBC3-SHA, but that is ssl3-only.

Once salsa20-poly1305 lands in openssl, that should be added to the
start of the list.

I'm starting to think we should just leave this well enough alone.  We
can't seem to find two people with the same idea of what would be
better than what we have now.  And of course the point of making it a
setting in the first place is that each person can set it to whatever
they deem best.

Yes, I am seeing that too.  Can we agree on one that is _better_ than
what we have now, even if we can't agree on a _best_ one?

Agreed. I would note that what is being proposed is a default that helps those of us (myself included) that do not know ciphers in and out, start with reasonable expectation of protection. This is a GUC so it can be modified to suite personal taste.

Adrian Klaver

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to