Re: [9.4] Minor SSL/ECDH related doc fixes
| От | Bruce Momjian |
|---|---|
| Тема | Re: [9.4] Minor SSL/ECDH related doc fixes |
| Дата | |
| Msg-id | 20140528013108.GA28490@momjian.us обсуждение исходный текст |
| Ответ на | [9.4] Minor SSL/ECDH related doc fixes (Marko Kreen <markokr@gmail.com>) |
| Список | pgsql-hackers |
On Sat, May 17, 2014 at 10:36:59PM +0300, Marko Kreen wrote: > - Clarify ECDH decription in release notes. > - Fix default value - it's 'prime256v1'. > - List curves with good cross-platform support explicitly > (NIST P-256 / P-384 / P-521). > > The -list_curves output is full of garbage, it's hard to know which > ones make sense to use. Only those three curves are supported > cross-platform - OpenSSL/Java/Windows - so list them explicitly. > > Only reason to tune this value is changing overall security > level up/down, so now this can be done safely and quickly. > > Only upwards though. We could also list here NIST P-192/P-224 > (prime192v1, secp224r1), but those are not supported by Windows. > And prime256v1 is quite fast already. > > In the future it might make philosophical sense to list > also Brainpool curves (RFC7027), or some new curves from > http://safecurves.cr.yp.to/ when they are brought to TLS. > But currently only NIST/NSA curves are working option, > so let's keep it simple for users. Attached patch applied. I shortened the release note description. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
Вложения
В списке pgsql-hackers по дате отправления: