Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
Committed your v2 patch (with default to on). I added a small snippet of documentation explaining that this setting is mainly for backward compatibility. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
On Fri, Nov 29, 2013 at 05:51:28PM +0200, Heikki Linnakangas wrote: > On 11/29/2013 05:43 PM, Marko Kreen wrote: > >On Fri, Nov 29, 2013 at 09:25:02AM -0500, Peter Eisentraut wrote: > >>On Thu, 2013-11-14 at 11:45 +0100, Magnus Hagander wrote: > >>>I think the default behaviour should be the one we recommend (which > >>>would be to have the server one be preferred). But I do agree with the > >>>requirement to have a GUC to be able to remove it > >> > >>Is there a reason why you would want to turn it off? > > > >GUC is there so old behaviour can be restored. > > > >Why would anyone want that, I don't know. In context of PostgreSQL, > >I see no reason to prefer old behaviour. > > Imagine that the server is public, and anyone can connect. The > server offers SSL protection not to protect the data in the server, > since that's public anyway, but to protect the communication of the > client. In that situation, it should be the client's choice what > encryption to use (if any). This is analogous to using https on a > public website. > > I concur that that's pretty far-fetched. Just changing the behavior, > with no GUC, is fine by me. But client can control that behaviour - it just needs to specify suites it wants and drop the rest. So only question is that does any client have better (non-tuned?) defaults than we can set from server. Considering the whole HTTPS world has answered 'no' to that question and nowadays server-controlled behaviour is preferred, I think it's safe to change the behaviour in Postgres too. -- marko -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
On 11/29/2013 05:43 PM, Marko Kreen wrote: On Fri, Nov 29, 2013 at 09:25:02AM -0500, Peter Eisentraut wrote: On Thu, 2013-11-14 at 11:45 +0100, Magnus Hagander wrote: I think the default behaviour should be the one we recommend (which would be to have the server one be preferred). But I do agree with the requirement to have a GUC to be able to remove it Is there a reason why you would want to turn it off? GUC is there so old behaviour can be restored. Why would anyone want that, I don't know. In context of PostgreSQL, I see no reason to prefer old behaviour. Imagine that the server is public, and anyone can connect. The server offers SSL protection not to protect the data in the server, since that's public anyway, but to protect the communication of the client. In that situation, it should be the client's choice what encryption to use (if any). This is analogous to using https on a public website. I concur that that's pretty far-fetched. Just changing the behavior, with no GUC, is fine by me. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
On Fri, Nov 29, 2013 at 09:25:02AM -0500, Peter Eisentraut wrote: > On Thu, 2013-11-14 at 11:45 +0100, Magnus Hagander wrote: > > I think the default behaviour should be the one we recommend (which > > would be to have the server one be preferred). But I do agree with the > > requirement to have a GUC to be able to remove it > > Is there a reason why you would want to turn it off? GUC is there so old behaviour can be restored. Why would anyone want that, I don't know. In context of PostgreSQL, I see no reason to prefer old behaviour. -- marko -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
On Thu, 2013-11-14 at 11:45 +0100, Magnus Hagander wrote: > I think the default behaviour should be the one we recommend (which > would be to have the server one be preferred). But I do agree with the > requirement to have a GUC to be able to remove it Is there a reason why you would want to turn it off? -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
On Thursday, November 7, 2013, Marko Kreen wrote: > On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote: > > Marko Kreen escribió: > > > > > By default OpenSSL (and SSL/TLS in general) lets client cipher > > > order take priority. This is OK for browsers where the ciphers > > > were tuned, but few Postgres client libraries make cipher order > > > configurable. So it makes sense to make cipher order in > > > postgresql.conf take priority over client defaults. > > > > > > This patch adds setting 'ssl_prefer_server_ciphers' which can be > > > turned on so that server cipher order is preferred. > > > > Wouldn't it make more sense to have this enabled by default? > > Well, yes. :) > > I would even drop the GUC setting, but hypothetically there could > be some sort of backwards compatiblity concerns, so I added it > to patch and kept old default. But if noone has strong need for it, > the setting can be removed. > I think the default behaviour should be the one we recommend (which would be to have the server one be preferred). But I do agree with the requirement to have a GUC to be able to remove it - even though I don't like the idea of more GUCs. But making it a compile time option would make it the same as not having one... //Magnus -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote: > Marko Kreen escribió: > > > By default OpenSSL (and SSL/TLS in general) lets client cipher > > order take priority. This is OK for browsers where the ciphers > > were tuned, but few Postgres client libraries make cipher order > > configurable. So it makes sense to make cipher order in > > postgresql.conf take priority over client defaults. > > > > This patch adds setting 'ssl_prefer_server_ciphers' which can be > > turned on so that server cipher order is preferred. > > Wouldn't it make more sense to have this enabled by default? Well, yes. :) I would even drop the GUC setting, but hypothetically there could be some sort of backwards compatiblity concerns, so I added it to patch and kept old default. But if noone has strong need for it, the setting can be removed. -- marko -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] [PATCH 1/2] SSL: GUC option to prefer server cipher order
Marko Kreen escribió: > By default OpenSSL (and SSL/TLS in general) lets client cipher > order take priority. This is OK for browsers where the ciphers > were tuned, but few Postgres client libraries make cipher order > configurable. So it makes sense to make cipher order in > postgresql.conf take priority over client defaults. > > This patch adds setting 'ssl_prefer_server_ciphers' which can be > turned on so that server cipher order is preferred. Wouldn't it make more sense to have this enabled by default? -- Álvaro Herrerahttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
