Re: DH_check return value test correct?
| От | Martijn van Oosterhout |
|---|---|
| Тема | Re: DH_check return value test correct? |
| Дата | |
| Msg-id | 20060513091027.GJ12955@svana.org обсуждение исходный текст |
| Ответ на | Re: DH_check return value test correct? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On Fri, May 12, 2006 at 09:05:55PM -0400, Tom Lane wrote: > Michael Fuhr <mike@fuhr.org> writes: > > Incidentally, is it necessary to load the DH parameters anew and > > call DH_check for every connection? > > We could maybe improve on that on Unix, but not so easily on Windows. > Given the evidently nonexistent demand for this feature, I can't see > putting any work into it ;-) To be honest I'm not entirely sure of the benefits of allowing people to specify the DH params. For the GnuTLS patch I just got the backend to generate the params on postmaster start because I couldn't think if a reason why you'd want to either use hard-coded values or user-specified ones. They're not security sensetive, knowing them doesn't help you crack the stream. The client simply gets a copy of the server's parameters when initiating the connection. What they do do it protect the security of the stream if the private key has been comprimised. So we should use EDH, but there's still no reason for the user to want to specify the parameters... Have a ncie day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to litigate.
В списке pgsql-hackers по дате отправления: