Re: SSL: better default ciphersuite
| От | Gavin Flower |
|---|---|
| Тема | Re: SSL: better default ciphersuite |
| Дата | |
| Msg-id | 52B09C28.9060300@archidevsys.co.nz обсуждение исходный текст |
| Ответ на | Re: SSL: better default ciphersuite (Bruce Momjian <bruce@momjian.us>) |
| Список | pgsql-hackers |
On 18/12/13 05:26, Bruce Momjian wrote: > On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote: >> On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cloos@jhcloos.com> wrote: >>> For reference, see: >>> >>> https://wiki.mozilla.org/Security/Server_Side_TLS >>> >>> for the currently suggested suite for TLS servers. >> ... >>> But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful >>> for some. And RC4, perhaps, also should be !ed. >>> >>> And if anyone wants Kerberos tls-authentication, one could add >>> KRB5-DES-CBC3-SHA, but that is ssl3-only. >>> >>> Once salsa20-poly1305 lands in openssl, that should be added to the >>> start of the list. >> I'm starting to think we should just leave this well enough alone. We >> can't seem to find two people with the same idea of what would be >> better than what we have now. And of course the point of making it a >> setting in the first place is that each person can set it to whatever >> they deem best. > Yes, I am seeing that too. Can we agree on one that is _better_ than > what we have now, even if we can't agree on a _best_ one? > Because various security agencies probably have people trying to confuse the issue, and acting to discourage strong encryption... Possibly choose the one computationally most difficult to crack - but even then, we don't know what algorithms they are using, which are bound to be very sophisticated. I've a horrible feeling, that I'm not paranoid enough! Cheers, Gavin
В списке pgsql-hackers по дате отправления: