On 18/12/13 05:26, Bruce Momjian wrote:
On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cl...@jhcloos.com> wrote:
For reference, see:
https://wiki.mozilla.org/Security/Server_Side_TLS
for the currently suggested suite for TLS servers.
...
But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
for some. And RC4, perhaps, also should be !ed.
And if anyone wants Kerberos tls-authentication, one could add
KRB5-DES-CBC3-SHA, but that is ssl3-only.
Once salsa20-poly1305 lands in openssl, that should be added to the
start of the list.
I'm starting to think we should just leave this well enough alone. We
can't seem to find two people with the same idea of what would be
better than what we have now. And of course the point of making it a
setting in the first place is that each person can set it to whatever
they deem best.
Yes, I am seeing that too. Can we agree on one that is _better_ than
what we have now, even if we can't agree on a _best_ one?
Because various security agencies probably have people trying to confuse
the issue, and acting to discourage strong encryption...
Possibly choose the one computationally most difficult to crack - but
even then, we don't know what algorithms they are using, which are bound
to be very sophisticated.
I've a horrible feeling, that I'm not paranoid enough!
Cheers,
Gavin
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
