Re: Heikki Linnakangas 2016-10-06 <[email protected]> > I propose the attached patch. It gives up on trying to deal with multiple > key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so > that was useless). Instead of using the callback, it just sets fixed DH > parameters with SSL_CTX_set_tmp_dh(), like we do for the ECDH curve. The DH > parameters are loaded from a file called "dh_params.pem" (instead of > "dh1024.pem"), if present, otherwise the built-in 2048 bit parameters are > used.
Shouldn't this be a GUC pointing to a configurable location like ssl_cert_file? This way, people reading the security section of the default postgresql.conf would notice that there's something (new) to configure. (And I wouldn't want to start creating symlinks from PGDATA to /etc/ssl/something again...) Thanks, Christoph -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
