Re: Review:Patch: SSL: prefer server cipher order

On 11/16/2013 01:13 PM, Marko Kreen wrote:
> On Sat, Nov 16, 2013 at 01:03:05PM -0800, Adrian Klaver wrote:
>> On 11/16/2013 12:37 PM, Marko Kreen wrote:
>>> Thanks for testing!
>>>
>>> On Sat, Nov 16, 2013 at 12:17:40PM -0800, Adrian Klaver wrote:
>>>> On 11/16/2013 06:24 AM, Marko Kreen wrote:
>>>>> ssl-better-default:
>>>>> SSL should stay working, openssl ciphers -v 'value' should not contain
>>>>> any weak suites (RC4, SEED, DES-CBC, EXP, NULL) and no non-authenticated
>>>>> suites (ADH/AECDH).
>>>>
>>>> Not sure about the above, if it is a GUC I can't find it. If it is
>>>> something else than I will have to plead ignorance.
>>>
>>> The patch just changes the default value for 'ssl_ciphers' GUC.
>>
>> I am still not sure what patch you are talking about. The two
>> patches I saw where for server_prefer and ECDH key exchange.
>>
>>>
>>> The question is if the value works at all, and is good.
>>>
>>
>> What value would we be talking about?
>
> Ah, sorry. It's this one:
>
> https://commitfest.postgresql.org/action/patch_view?id=1310

Got it, applied it.

Results:

openssl ciphers -v 'HIGH:!aNULL'|egrep
'(RC4|SEED|DES-CBC|EXP|NULL|ADH|AECDH)'

ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

>
>> Note: I have been working through a head cold and thought processes
>> are sluggish, handle accordingly:)
>
> Get better soon! :)

Thanks, the worst is over.

>

--
Adrian Klaver
adrian(dot)klaver(at)gmail(dot)com