On 07/13/2017 08:04 PM, Alvaro Herrera wrote:
Michael Paquier wrote:
On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas <hlinn...@iki.fi> wrote:

Objections to committing this now, instead of waiting for v11?

But I am -1 for the sneak part. It is not the time to have a new
feature in 10, the focus is to stabilize.

But if we were treating it as a security issue, would we backpatch it?
If we do, then it definitely makes sense to put something in pg10.  I'm
not sure that this patch is it, though -- perhaps it makes sense to put
a minimal fix in older branches, and let the new feature wait for pg11?

I don't think this can be backpatched. It changes the default DH parameters from 1024 bits to 2048 bits. That's a good thing for security, but older clients might not support it, and would refuse to connect or would fall back to something less secure. I don't think there are many such clients around anymore, but it's nevertheless not something we want to do in a stable release I think the best we can do is to document the issue and the workaround. To recap, to use stronger DH parameters in stable versions, you need to do "openssl dhparam -out $PGDATA/dh1024.pem 2048".

But I'd like to take the opportunity to change this for new installations, with v10, instead of waiting for another year. Of course, you could say that for any new feature, too, but that doesn't necessarily mean that it's a bad argument :-). It's a judgment call, for sure.

- Heikki

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to