Quick Links

Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order

From:	Marko Kreen <markokr(at)gmail(dot)com>
To:	Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc:	pgsql-hackers(at)postgresql(dot)org
Subject:	Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order
Date:	2013-11-07 01:07:45
Message-ID:	20131107010745.GA9968@gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote:
> Marko Kreen escribió:
>
> > By default OpenSSL (and SSL/TLS in general) lets client cipher
> > order take priority. This is OK for browsers where the ciphers
> > were tuned, but few Postgres client libraries make cipher order
> > configurable. So it makes sense to make cipher order in
> > postgresql.conf take priority over client defaults.
> >
> > This patch adds setting 'ssl_prefer_server_ciphers' which can be
> > turned on so that server cipher order is preferred.
>
> Wouldn't it make more sense to have this enabled by default?

Well, yes. :)

I would even drop the GUC setting, but hypothetically there could
be some sort of backwards compatiblity concerns, so I added it
to patch and kept old default. But if noone has strong need for it,
the setting can be removed.

--
marko

In response to

Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order at 2013-11-07 00:57:32 from Alvaro Herrera

Responses

Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order at 2013-11-14 10:45:56 from Magnus Hagander

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Paquier	2013-11-07 02:46:24	Re: Documentation patch for date/time formatting functions
Previous Message	Alvaro Herrera	2013-11-07 00:57:32	Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order