On Thursday, November 7, 2013, Marko Kreen wrote: > On Wed, Nov 06, 2013 at 09:57:32PM -0300, Alvaro Herrera wrote: > > Marko Kreen escribió: > > > > > By default OpenSSL (and SSL/TLS in general) lets client cipher > > > order take priority. This is OK for browsers where the ciphers > > > were tuned, but few Postgres client libraries make cipher order > > > configurable. So it makes sense to make cipher order in > > > postgresql.conf take priority over client defaults. > > > > > > This patch adds setting 'ssl_prefer_server_ciphers' which can be > > > turned on so that server cipher order is preferred. > > > > Wouldn't it make more sense to have this enabled by default? > > Well, yes. :) > > I would even drop the GUC setting, but hypothetically there could > be some sort of backwards compatiblity concerns, so I added it > to patch and kept old default. But if noone has strong need for it, > the setting can be removed. >
I think the default behaviour should be the one we recommend (which would be to have the server one be preferred). But I do agree with the requirement to have a GUC to be able to remove it - even though I don't like the idea of more GUCs. But making it a compile time option would make it the same as not having one... //Magnus -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/