| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | James Cloos <cloos(at)jhcloos(dot)com>, Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org>, Marko Kreen <markokr(at)gmail(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Subject: | Re: SSL: better default ciphersuite |
| Date: | 2013-12-17 16:26:13 |
| Message-ID: | 20131217162613.GC19059@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
> On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cloos(at)jhcloos(dot)com> wrote:
> > For reference, see:
> >
> > https://wiki.mozilla.org/Security/Server_Side_TLS
> >
> > for the currently suggested suite for TLS servers.
> ...
> > But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
> > for some. And RC4, perhaps, also should be !ed.
> >
> > And if anyone wants Kerberos tls-authentication, one could add
> > KRB5-DES-CBC3-SHA, but that is ssl3-only.
> >
> > Once salsa20-poly1305 lands in openssl, that should be added to the
> > start of the list.
>
> I'm starting to think we should just leave this well enough alone. We
> can't seem to find two people with the same idea of what would be
> better than what we have now. And of course the point of making it a
> setting in the first place is that each person can set it to whatever
> they deem best.
Yes, I am seeing that too. Can we agree on one that is _better_ than
what we have now, even if we can't agree on a _best_ one?
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2013-12-17 16:45:51 | Re: pg_rewarm status |
| Previous Message | Andrew Dunstan | 2013-12-17 16:16:40 | Re: BUG #8676: Bug Money JSON |