On 11/16/2013 01:13 PM, Marko Kreen wrote:
On Sat, Nov 16, 2013 at 01:03:05PM -0800, Adrian Klaver wrote:
On 11/16/2013 12:37 PM, Marko Kreen wrote:
Thanks for testing!
On Sat, Nov 16, 2013 at 12:17:40PM -0800, Adrian Klaver wrote:
On 11/16/2013 06:24 AM, Marko Kreen wrote:
ssl-better-default:
SSL should stay working, openssl ciphers -v 'value' should not contain
any weak suites (RC4, SEED, DES-CBC, EXP, NULL) and no non-authenticated
suites (ADH/AECDH).
Not sure about the above, if it is a GUC I can't find it. If it is
something else than I will have to plead ignorance.
The patch just changes the default value for 'ssl_ciphers' GUC.
I am still not sure what patch you are talking about. The two
patches I saw where for server_prefer and ECDH key exchange.
The question is if the value works at all, and is good.
What value would we be talking about?
Ah, sorry. It's this one:
https://commitfest.postgresql.org/action/patch_view?id=1310
Got it, applied it.
Results:
openssl ciphers -v 'HIGH:!aNULL'|egrep
'(RC4|SEED|DES-CBC|EXP|NULL|ADH|AECDH)'
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
Note: I have been working through a head cold and thought processes
are sluggish, handle accordingly:)
Get better soon! :)
Thanks, the worst is over.
--
Adrian Klaver
adrian.kla...@gmail.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
