Re: [HACKERS] PostgreSQL - Weak DH group

On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> I rebased the patch, did some other clean up of error reporting, and added a
> GUC along those lines, as well as docs. How does this look?
>
> It's late in the release cycle, but it would be nice to sneak this into v10.
> Using weak 1024 bit DH parameters is arguably a security issue; it was
> originally reported as such. There's a work-around for older versions:
> generate custom 2048 bit parameters and place them in a file called
> "dh1024.pem", but that's completely undocumented.
>
> Thoughts?

The patch looks in good shape to me.
#include "utils/memutils.h"

-static int    my_sock_read(BIO *h, char *buf, int size);
That's unnecessary noise.

+ *    Very uncool. Alternatively, the system could refuse to start
+ *    if a DH parameters if not specified, but this would tend to
+ *    piss off DBAs.
"is not specified".

> Objections to committing this now, instead of waiting for v11?

But I am -1 for the sneak part. It is not the time to have a new
feature in 10, the focus is to stabilize.
-- 
Michael