Re: SSL: better default ciphersuite

On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cloos@jhcloos.com> wrote:
> For reference, see:
>
>   https://wiki.mozilla.org/Security/Server_Side_TLS
>
> for the currently suggested suite for TLS servers.
...
> But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
> for some.  And RC4, perhaps, also should be !ed.
>
> And if anyone wants Kerberos tls-authentication, one could add
> KRB5-DES-CBC3-SHA, but that is ssl3-only.
>
> Once salsa20-poly1305 lands in openssl, that should be added to the
> start of the list.

I'm starting to think we should just leave this well enough alone.  We
can't seem to find two people with the same idea of what would be
better than what we have now.  And of course the point of making it a
setting in the first place is that each person can set it to whatever
they deem best.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company