Re: [HACKERS] PostgreSQL - Weak DH group

On 07/31/2017 02:27 PM, Heikki Linnakangas wrote: Rebased patch attached, with proposed release notes included. Barring new objections or arguments, I'll commit this (only) to v10 later today. Ok, committed for v10. Thanks Nicolas and Damien, and everyone else involved! - Heikki -- Sent

Re: [HACKERS] PostgreSQL - Weak DH group

On 07/13/2017 11:07 PM, Heikki Linnakangas wrote: On 07/13/2017 10:13 PM, Robert Haas wrote: On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane wrote: Heikki Linnakangas writes: I don't think this can be backpatched. It changes the default DH parameters from 1024

Re: [HACKERS] PostgreSQL - Weak DH group

On 07/13/2017 10:13 PM, Robert Haas wrote: On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane wrote: Heikki Linnakangas writes: I don't think this can be backpatched. It changes the default DH parameters from 1024 bits to 2048 bits. That's a good thing for

Re: [HACKERS] PostgreSQL - Weak DH group

On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane wrote: > Heikki Linnakangas writes: >> I don't think this can be backpatched. It changes the default DH >> parameters from 1024 bits to 2048 bits. That's a good thing for >> security, but older clients might not

Re: [HACKERS] PostgreSQL - Weak DH group

Heikki Linnakangas writes: > I don't think this can be backpatched. It changes the default DH > parameters from 1024 bits to 2048 bits. That's a good thing for > security, but older clients might not support it, and would refuse to > connect or would fall back to something

Re: [HACKERS] PostgreSQL - Weak DH group

On 07/13/2017 01:07 PM, Simon Riggs wrote: > On 13 July 2017 at 16:32, Heikki Linnakangas wrote: >> (We dropped the ball back in October, continuing the discussion now) >> >> On 10/10/2016 06:24 PM, Heikki Linnakangas wrote: >>> >>> On 10/06/2016 10:26 PM, Christoph Berg wrote:

Re: [HACKERS] PostgreSQL - Weak DH group

On 07/13/2017 08:04 PM, Alvaro Herrera wrote: Michael Paquier wrote: On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas wrote: Objections to committing this now, instead of waiting for v11? But I am -1 for the sneak part. It is not the time to have a new feature in 10,

Re: [HACKERS] PostgreSQL - Weak DH group

Re: Alvaro Herrera 2017-07-13 <20170713170402.74uuoivrgd3c6tnw@alvherre.pgsql> > > > Objections to committing this now, instead of waiting for v11? > > > > But I am -1 for the sneak part. It is not the time to have a new > > feature in 10, the focus is to stabilize. > > But if we were treating

Re: [HACKERS] PostgreSQL - Weak DH group

On 13 July 2017 at 16:32, Heikki Linnakangas wrote: > (We dropped the ball back in October, continuing the discussion now) > > On 10/10/2016 06:24 PM, Heikki Linnakangas wrote: >> >> On 10/06/2016 10:26 PM, Christoph Berg wrote: >>> >>> Re: Heikki Linnakangas 2016-10-06 >>>

Re: [HACKERS] PostgreSQL - Weak DH group

Michael Paquier wrote: > On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas wrote: > > Objections to committing this now, instead of waiting for v11? > > But I am -1 for the sneak part. It is not the time to have a new > feature in 10, the focus is to stabilize. But if we

Re: [HACKERS] PostgreSQL - Weak DH group

On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas wrote: > I rebased the patch, did some other clean up of error reporting, and added a > GUC along those lines, as well as docs. How does this look? > > It's late in the release cycle, but it would be nice to sneak this into v10.

Re: [HACKERS] PostgreSQL - Weak DH group

(We dropped the ball back in October, continuing the discussion now) On 10/10/2016 06:24 PM, Heikki Linnakangas wrote: On 10/06/2016 10:26 PM, Christoph Berg wrote: Re: Heikki Linnakangas 2016-10-06 I propose the attached patch. It gives up on

Re: [HACKERS] PostgreSQL - Weak DH group

06.10.2016, 16:52, Heikki Linnakangas kirjoitti: I propose the attached patch. It gives up on trying to deal with multiple key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so that was useless). Instead of using the callback, it just sets fixed DH parameters with

Re: [HACKERS] PostgreSQL - Weak DH group

On 10/06/2016 10:26 PM, Christoph Berg wrote: Re: Heikki Linnakangas 2016-10-06 I propose the attached patch. It gives up on trying to deal with multiple key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so that was useless).

Re: [HACKERS] PostgreSQL - Weak DH group

Re: Heikki Linnakangas 2016-10-06 > I propose the attached patch. It gives up on trying to deal with multiple > key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so > that was useless). Instead of using the callback, it just

Re: [HACKERS] PostgreSQL - Weak DH group

On 10/05/2016 09:57 PM, Heikki Linnakangas wrote: On 10/05/2016 05:15 PM, Nicolas Guini wrote: We are working with Postgres 9.3.14 and executing nmap we found that it is using “weak DH group” (nmap –script ssl-dh-params). Weak = 1024 bits. Yeah, it seems that we're a bit

Re: [HACKERS] PostgreSQL - Weak DH group

On 10/05/2016 05:15 PM, Nicolas Guini wrote: We are working with Postgres 9.3.14 and executing nmap we found that it is using “weak DH group” (nmap –script ssl-dh-params). Weak = 1024 bits. Yeah, it seems that we're a bit behind the times on this... This issue is similar

[HACKERS] PostgreSQL - Weak DH group

Hello everyone, I sent few days ago to the security DL a mail reporting a vulnerability in how Postgres is requesting DH params to be used later for encryption algorithms. So, due to there is no problem sharing with this group, here is what I sent: