| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Replacing the EDH SKIP primes |
| Date: | 2019-07-04 06:24:13 |
| Message-ID: | CAA877DE-B524-4A94-8579-5FFD1F32F208@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 04 Jul 2019, at 02:58, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>
>> On Wed, Jul 03, 2019 at 08:56:42PM +0200, Daniel Gustafsson wrote:
>> Agreed, I’ve updated the patch with a comment on this formulated such that it
>> should stand the test of time even as OpenSSL changes etc.
>
> I'd like to think that we had rather mention the warning issue
> explicitely, so as people don't get surprised, like that for example:
>
> * This is the 2048-bit DH parameter from RFC 3526. The generation of the
> * prime is specified in RFC 2412, which also discusses the design choice
> * of the generator. Note that when loaded with OpenSSL this causes
> * DH_check() to fail on with DH_NOT_SUITABLE_GENERATOR, where leaking
> * a bit is preferred.
>
> Now this makes an OpenSSL-specific issue pop up within a section of
> the code where we want to make things more generic with SSL, so your
> simpler version has good arguments as well.
>
> I have just rechecked the shape of the key, and we have an exact
> match.
LGTM, thanks.
cheers ./daniel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2019-07-04 07:14:09 | Re: Refactoring base64 encoding and decoding into a safer interface |
| Previous Message | Andrew Gierth | 2019-07-04 05:57:19 | Re: UCT (Re: pgsql: Update time zone data files to tzdata release 2019a.) |