Re: SSL: better default ciphersuite

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: James Cloos <cloos(at)jhcloos(dot)com>
Cc: Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org>, Marko Kreen <markokr(at)gmail(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>
Subject: Re: SSL: better default ciphersuite
Date: 2013-12-17 14:51:30
Message-ID: CA+Tgmob=HNrFwDLm-kKjbROfAwmLQd8Snre=8taS7PMZ30VpoA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cloos(at)jhcloos(dot)com> wrote:
> For reference, see:
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> for the currently suggested suite for TLS servers.
...
> But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
> for some. And RC4, perhaps, also should be !ed.
>
> And if anyone wants Kerberos tls-authentication, one could add
> KRB5-DES-CBC3-SHA, but that is ssl3-only.
>
> Once salsa20-poly1305 lands in openssl, that should be added to the
> start of the list.

I'm starting to think we should just leave this well enough alone. We
can't seem to find two people with the same idea of what would be
better than what we have now. And of course the point of making it a
setting in the first place is that each person can set it to whatever
they deem best.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2013-12-17 14:56:33 Re: Proposal: variant of regclass
Previous Message Andrew Dunstan 2013-12-17 14:44:00 Re: BUG #8676: Bug Money JSON