Re: Heikki Linnakangas 2016-10-06 <fd6eb3cc-1585-1469-fd9e-763f8e410...@iki.fi> > I propose the attached patch. It gives up on trying to deal with multiple > key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so > that was useless). Instead of using the callback, it just sets fixed DH > parameters with SSL_CTX_set_tmp_dh(), like we do for the ECDH curve. The DH > parameters are loaded from a file called "dh_params.pem" (instead of > "dh1024.pem"), if present, otherwise the built-in 2048 bit parameters are > used.
Shouldn't this be a GUC pointing to a configurable location like ssl_cert_file? This way, people reading the security section of the default postgresql.conf would notice that there's something (new) to configure. (And I wouldn't want to start creating symlinks from PGDATA to /etc/ssl/something again...) Thanks, Christoph -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
