Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order
| От | Magnus Hagander |
|---|---|
| Тема | Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order |
| Дата | |
| Msg-id | CABUevEyfc2mOfzpv1jz+x=_vB_6pYd9QbroJRjY_UMeB3O3zeg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order (Marko Kreen <markokr@gmail.com>) |
| Ответы |
Re: [PATCH 1/2] SSL: GUC option to prefer server cipher
order
|
| Список | pgsql-hackers |
On Thursday, November 7, 2013, Marko Kreen wrote:
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote:
> Marko Kreen escribió:
>
> > By default OpenSSL (and SSL/TLS in general) lets client cipher
> > order take priority. This is OK for browsers where the ciphers
> > were tuned, but few Postgres client libraries make cipher order
> > configurable. So it makes sense to make cipher order in
> > postgresql.conf take priority over client defaults.
> >
> > This patch adds setting 'ssl_prefer_server_ciphers' which can be
> > turned on so that server cipher order is preferred.
>
> Wouldn't it make more sense to have this enabled by default?
Well, yes. :)
I would even drop the GUC setting, but hypothetically there could
be some sort of backwards compatiblity concerns, so I added it
to patch and kept old default. But if noone has strong need for it,
the setting can be removed.
I think the default behaviour should be the one we recommend (which would be to have the server one be preferred). But I do agree with the requirement to have a GUC to be able to remove it - even though I don't like the idea of more GUCs. But making it a compile time option would make it the same as not having one...
//Magnus
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
В списке pgsql-hackers по дате отправления: