From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Marko Kreen <markokr(at)gmail(dot)com> |
Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order |
Date: | 2013-11-14 10:45:56 |
Message-ID: | CABUevEyfc2mOfzpv1jz+x=_vB_6pYd9QbroJRjY_UMeB3O3zeg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thursday, November 7, 2013, Marko Kreen wrote:
> On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote:
> > Marko Kreen escribió:
> >
> > > By default OpenSSL (and SSL/TLS in general) lets client cipher
> > > order take priority. This is OK for browsers where the ciphers
> > > were tuned, but few Postgres client libraries make cipher order
> > > configurable. So it makes sense to make cipher order in
> > > postgresql.conf take priority over client defaults.
> > >
> > > This patch adds setting 'ssl_prefer_server_ciphers' which can be
> > > turned on so that server cipher order is preferred.
> >
> > Wouldn't it make more sense to have this enabled by default?
>
> Well, yes. :)
>
> I would even drop the GUC setting, but hypothetically there could
> be some sort of backwards compatiblity concerns, so I added it
> to patch and kept old default. But if noone has strong need for it,
> the setting can be removed.
>
I think the default behaviour should be the one we recommend (which would
be to have the server one be preferred). But I do agree with the
requirement to have a GUC to be able to remove it - even though I don't
like the idea of more GUCs. But making it a compile time option would make
it the same as not having one...
//Magnus
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Florian Weimer | 2013-11-14 10:51:19 | Re: Logging WAL when updating hintbit |
Previous Message | Magnus Hagander | 2013-11-14 10:45:52 | Re: [GENERAL] Clang 3.3 Analyzer Results |