From: | Marko Kreen <markokr(at)gmail(dot)com> |
---|---|
To: | Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org> |
Subject: | [9.4] Minor SSL/ECDH related doc fixes |
Date: | 2014-05-17 19:36:59 |
Message-ID: | 20140517193659.GA13861@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
- Clarify ECDH decription in release notes.
- Fix default value - it's 'prime256v1'.
- List curves with good cross-platform support explicitly
(NIST P-256 / P-384 / P-521).
The -list_curves output is full of garbage, it's hard to know which
ones make sense to use. Only those three curves are supported
cross-platform - OpenSSL/Java/Windows - so list them explicitly.
Only reason to tune this value is changing overall security
level up/down, so now this can be done safely and quickly.
Only upwards though. We could also list here NIST P-192/P-224
(prime192v1, secp224r1), but those are not supported by Windows.
And prime256v1 is quite fast already.
In the future it might make philosophical sense to list
also Brainpool curves (RFC7027), or some new curves from
http://safecurves.cr.yp.to/ when they are brought to TLS.
But currently only NIST/NSA curves are working option,
so let's keep it simple for users.
--
marko
Attachment | Content-Type | Size |
---|---|---|
ssl-docfixes.diff | text/x-diff | 2.5 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2014-05-17 20:12:41 | Re: btree_gist macaddr valgrind woes |
Previous Message | Andres Freund | 2014-05-17 19:31:40 | Re: buildfarm: strange OOM failures on markhor (running CLOBBER_CACHE_RECURSIVELY) |