On Wed, Jan 2, 2013 at 3:15 PM, Noah Misch <n...@leadboat.com> wrote: > On Wed, Jan 02, 2013 at 02:03:20PM +0100, Magnus Hagander wrote: >> On Wed, Jan 2, 2013 at 1:15 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> > So +1 for changing it to "DEFAULT" from me, too. There's no reason to >> > think we know more about this than the OpenSSL authors. >> >> The DEFAULT value in OpenSSL 1.0 means "ALL:!aNULL:!eNULL". >> >> Researching some more, this might cause a problem actually, which >> would explain some of the things that are in our default. For example, >> an ADH algorithm doesn't use certificates - but it uses DH parameters, >> so it likely won't work anyway. EDH uses certs, but also requires DH >> parameters. >> >> Maybe what we nede is "DEFAULT:!ADH:@STRENGTH" as the default? > > I understand aNULL to include ADH.
Hmm. Seems you're right when I run a test on it, I was reading it wrong. >> The other difference is that our current string denies 40 and 56 bit >> encryptions (low and export strenghts). Do we stll want to do that? > > On the one hand, those seem bad to permit by default in 2013. On the other > hand, if so, why hasn't OpenSSL removed them from DEFAULT? Perhaps it has > backward-compatibility concerns that wouldn't apply to us by virtue of having > disabled them for some time. Sounds reasonable to continue disabling them. So then the default would be "DEFAULT:!LOW:!EXP:@STRENGTH" (the @STRENGTH part is the sorting key for preference, which the default one seems not to have) The biggest difference being that we start from DEFAULT rather than ALL. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
