From: | Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com> |
---|---|
To: | Marko Kreen <markokr(at)gmail(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Review:Patch: SSL: prefer server cipher order |
Date: | 2013-11-16 22:07:57 |
Message-ID: | 5287ECBD.6000707@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 11/16/2013 01:13 PM, Marko Kreen wrote:
> On Sat, Nov 16, 2013 at 01:03:05PM -0800, Adrian Klaver wrote:
>> On 11/16/2013 12:37 PM, Marko Kreen wrote:
>>> Thanks for testing!
>>>
>>> On Sat, Nov 16, 2013 at 12:17:40PM -0800, Adrian Klaver wrote:
>>>> On 11/16/2013 06:24 AM, Marko Kreen wrote:
>>>>> ssl-better-default:
>>>>> SSL should stay working, openssl ciphers -v 'value' should not contain
>>>>> any weak suites (RC4, SEED, DES-CBC, EXP, NULL) and no non-authenticated
>>>>> suites (ADH/AECDH).
>>>>
>>>> Not sure about the above, if it is a GUC I can't find it. If it is
>>>> something else than I will have to plead ignorance.
>>>
>>> The patch just changes the default value for 'ssl_ciphers' GUC.
>>
>> I am still not sure what patch you are talking about. The two
>> patches I saw where for server_prefer and ECDH key exchange.
>>
>>>
>>> The question is if the value works at all, and is good.
>>>
>>
>> What value would we be talking about?
>
> Ah, sorry. It's this one:
>
> https://commitfest.postgresql.org/action/patch_view?id=1310
Got it, applied it.
Results:
openssl ciphers -v 'HIGH:!aNULL'|egrep
'(RC4|SEED|DES-CBC|EXP|NULL|ADH|AECDH)'
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
>
>> Note: I have been working through a head cold and thought processes
>> are sluggish, handle accordingly:)
>
> Get better soon! :)
Thanks, the worst is over.
>
--
Adrian Klaver
adrian(dot)klaver(at)gmail(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Marko Kreen | 2013-11-16 22:41:57 | Re: Review:Patch: SSL: prefer server cipher order |
Previous Message | Hannu Krosing | 2013-11-16 22:04:23 | Re: additional json functionality |