committed
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Sat, Feb 22, 2014 at 08:31:14PM -0500, Peter Eisentraut wrote:
> On 2/2/14, 7:16 AM, Marko Kreen wrote:
> > On Thu, Dec 12, 2013 at 04:32:07PM +0200, Marko Kreen wrote:
> >> Attached patch changes default ciphersuite to HIGH:MEDIUM:+3DES:!aNULL
> >> and also adds documentation about reasoning fo
On 2/2/14, 7:16 AM, Marko Kreen wrote:
> On Thu, Dec 12, 2013 at 04:32:07PM +0200, Marko Kreen wrote:
>> Attached patch changes default ciphersuite to HIGH:MEDIUM:+3DES:!aNULL
>> and also adds documentation about reasoning for it.
>
> This is the last pending SSL cleanup related patch:
>
> http
On Thu, Dec 12, 2013 at 04:32:07PM +0200, Marko Kreen wrote:
> Attached patch changes default ciphersuite to HIGH:MEDIUM:+3DES:!aNULL
> and also adds documentation about reasoning for it.
This is the last pending SSL cleanup related patch:
https://commitfest.postgresql.org/action/patch_view?id=
On Sun, Dec 15, 2013 at 05:10:38PM -0500, James Cloos wrote:
> > "MK" == Marko Kreen writes:
> > "PE" == Peter Eisentraut writes:
> PE> Any other opinions on this out there?
>
> For reference, see:
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> for the currently suggested
On 18/12/13 05:26, Bruce Momjian wrote:
On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
On Sun, Dec 15, 2013 at 5:10 PM, James Cloos wrote:
For reference, see:
https://wiki.mozilla.org/Security/Server_Side_TLS
for the currently suggested suite for TLS servers.
...
But for p
On Tue, Dec 17, 2013 at 11:26:13AM -0500, Bruce Momjian wrote:
> On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
> > I'm starting to think we should just leave this well enough alone. We
> > can't seem to find two people with the same idea of what would be
> > better than what we have
On 12/17/2013 08:26 AM, Bruce Momjian wrote:
On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
On Sun, Dec 15, 2013 at 5:10 PM, James Cloos wrote:
For reference, see:
https://wiki.mozilla.org/Security/Server_Side_TLS
for the currently suggested suite for TLS servers.
...
But
On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
> On Sun, Dec 15, 2013 at 5:10 PM, James Cloos wrote:
> > For reference, see:
> >
> > https://wiki.mozilla.org/Security/Server_Side_TLS
> >
> > for the currently suggested suite for TLS servers.
> ...
> > But for pgsql, I'd leave off t
On Sun, Dec 15, 2013 at 5:10 PM, James Cloos wrote:
> For reference, see:
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> for the currently suggested suite for TLS servers.
...
> But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
> for some. And RC4, perhaps, also
> "MK" == Marko Kreen writes:
> "PE" == Peter Eisentraut writes:
MK>> Well, we should - the DEFAULT is clearly a client-side default
MK>> for compatibility only. No server should ever run with it.
PE> Any other opinions on this out there?
For reference, see:
https://wiki.mozilla.or
On Thu, Dec 12, 2013 at 09:18:03PM -0500, Peter Eisentraut wrote:
> On Thu, 2013-12-12 at 12:30 +0200, Marko Kreen wrote:
> > First, if there is explicit wish to keep RC4/SEED in play, I'm fine
> > with "HIGH:MEDIUM:!aNULL" as new default. Clarity-wise, it's still
> > much better than current valu
On Thu, 2013-12-12 at 12:30 +0200, Marko Kreen wrote:
> First, if there is explicit wish to keep RC4/SEED in play, I'm fine
> with "HIGH:MEDIUM:!aNULL" as new default. Clarity-wise, it's still
> much better than current value. And this value will result *exactly*
> same list in same order as curr
On Thu, Dec 12, 2013 at 01:33:57PM +0100, Magnus Hagander wrote:
> On Thu, Dec 12, 2013 at 11:30 AM, Marko Kreen wrote:
> > On Wed, Dec 11, 2013 at 10:08:44PM -0500, Tom Lane wrote:
> > I know that SChannel SSL library in Windows XP (and earlier) is such
> > RC4+3DES only implementation, but I hav
On Thu, Dec 12, 2013 at 11:30 AM, Marko Kreen wrote:
> On Wed, Dec 11, 2013 at 10:08:44PM -0500, Tom Lane wrote:
> > Peter Eisentraut writes:
> > > Any other opinions on this out there? All instances of other
> > > SSL-enabled servers out there, except nginx, default to some variant of
> > > DE
On Wed, Dec 11, 2013 at 10:08:44PM -0500, Tom Lane wrote:
> Peter Eisentraut writes:
> > Any other opinions on this out there? All instances of other
> > SSL-enabled servers out there, except nginx, default to some variant of
> > DEFAULT:!LOW:... or HIGH:MEDIUM: The proposal here is essentia
Peter Eisentraut writes:
> Any other opinions on this out there? All instances of other
> SSL-enabled servers out there, except nginx, default to some variant of
> DEFAULT:!LOW:... or HIGH:MEDIUM: The proposal here is essentially
> to disable MEDIUM ciphers by default, which is explicitly ad
On Fri, 2013-11-29 at 18:43 +0200, Marko Kreen wrote:
> Well, we should - the DEFAULT is clearly a client-side default
> for compatibility only. No server should ever run with it.
Any other opinions on this out there? All instances of other
SSL-enabled servers out there, except nginx, default to
On Fri, Nov 29, 2013 at 09:18:49AM -0500, Peter Eisentraut wrote:
> On Fri, 2013-11-15 at 01:11 +0200, Marko Kreen wrote:
> > Attached patch changes the default ciphersuite to
> >
> > HIGH:!aNULL
> >
> > instead of old
> >
> > DEFAULT:!LOW:!EXP:!MD5:@STRENGTH
> >
> > where DEFAULT is a
On Fri, 2013-11-15 at 01:11 +0200, Marko Kreen wrote:
> Attached patch changes the default ciphersuite to
>
> HIGH:!aNULL
>
> instead of old
>
> DEFAULT:!LOW:!EXP:!MD5:@STRENGTH
>
> where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".
> Main goal is to leave low-level ciphersuite detai
Attached patch changes the default ciphersuite to
HIGH:!aNULL
instead of old
DEFAULT:!LOW:!EXP:!MD5:@STRENGTH
where DEFAULT is a shortcut for "ALL:!aNULL:!eNULL".
Main goal is to leave low-level ciphersuite details to OpenSSL guys
and give clear impression to Postgres admins what it i
21 matches
Mail list logo