| From: | Christoph Berg <myon(at)debian(dot)org> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Nicolas Guini <nicolasguini(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org, Damian Quiroga <qdamian(at)gmail(dot)com> |
| Subject: | Re: PostgreSQL - Weak DH group |
| Date: | 2016-10-06 19:26:42 |
| Message-ID: | 20161006192642.zgxukwjj2kvyh4hr@msg.df7cb.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Re: Heikki Linnakangas 2016-10-06 <fd6eb3cc-1585-1469-fd9e-763f8e410b19(at)iki(dot)fi>
> I propose the attached patch. It gives up on trying to deal with multiple
> key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so
> that was useless). Instead of using the callback, it just sets fixed DH
> parameters with SSL_CTX_set_tmp_dh(), like we do for the ECDH curve. The DH
> parameters are loaded from a file called "dh_params.pem" (instead of
> "dh1024.pem"), if present, otherwise the built-in 2048 bit parameters are
> used.
Shouldn't this be a GUC pointing to a configurable location like
ssl_cert_file? This way, people reading the security section of the
default postgresql.conf would notice that there's something (new) to
configure. (And I wouldn't want to start creating symlinks from PGDATA
to /etc/ssl/something again...)
Thanks,
Christoph
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2016-10-06 19:56:22 | Re: VACUUM's ancillary tasks |
| Previous Message | Robert Haas | 2016-10-06 18:55:55 | Re: Switch to unnamed POSIX semaphores as our preferred sema code? |