Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order

On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote:
> Marko Kreen escribió:
> 
> > By default OpenSSL (and SSL/TLS in general) lets client cipher
> > order take priority.  This is OK for browsers where the ciphers
> > were tuned, but few Postgres client libraries make cipher order
> > configurable.  So it makes sense to make cipher order in
> > postgresql.conf take priority over client defaults.
> > 
> > This patch adds setting 'ssl_prefer_server_ciphers' which can be
> > turned on so that server cipher order is preferred.
> 
> Wouldn't it make more sense to have this enabled by default?

Well, yes.  :)

I would even drop the GUC setting, but hypothetically there could
be some sort of backwards compatiblity concerns, so I added it
to patch and kept old default.  But if noone has strong need for it,
the setting can be removed.

-- 
marko