On Sat, May 17, 2014 at 10:36:59PM +0300, Marko Kreen wrote:
> - Clarify ECDH decription in release notes.
> - Fix default value - it's 'prime256v1'.
> - List curves with good cross-platform support explicitly
> (NIST P-256 / P-384 / P-521).
>
> The -list_curves output is full of garbage, it's hard to know which
> ones make sense to use. Only those three curves are supported
> cross-platform - OpenSSL/Java/Windows - so list them explicitly.
>
> Only reason to tune this value is changing overall security
> level up/down, so now this can be done safely and quickly.
>
> Only upwards though. We could also list here NIST P-192/P-224
> (prime192v1, secp224r1), but those are not supported by Windows.
> And prime256v1 is quite fast already.
>
> In the future it might make philosophical sense to list
> also Brainpool curves (RFC7027), or some new curves from
> http://safecurves.cr.yp.to/ when they are brought to TLS.
> But currently only NIST/NSA curves are working option,
> so let's keep it simple for users.
Attached patch applied. I shortened the release note description.
--
Bruce Momjian <[email protected]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
new file mode 100644
index d9e5985..4a666d0
*** a/doc/src/sgml/config.sgml
--- b/doc/src/sgml/config.sgml
*************** include 'filename'
*** 1020,1032 ****
</term>
<listitem>
<para>
! Specifies the name of the curve to use in ECDH key exchanges. The
! default is <literal>prime256p1</>.
</para>
<para>
! The list of available curves can be shown with the command
! <literal>openssl ecparam -list_curves</literal>.
</para>
</listitem>
</varlistentry>
--- 1020,1042 ----
</term>
<listitem>
<para>
! Specifies the name of the curve to use in ECDH key exchange.
! It needs to be supported by all clients that connect.
! It does not need to be same curve as used by server's
! Elliptic Curve key. The default is <literal>prime256v1</>.
</para>
<para>
! OpenSSL names for most common curves:
! <literal>prime256v1</> (NIST P-256),
! <literal>secp384r1</> (NIST P-384),
! <literal>secp521r1</> (NIST P-521).
! </para>
!
! <para>
! The full list of available curves can be shown with the command
! <literal>openssl ecparam -list_curves</literal>. Not all of them
! are usable in TLS though.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
new file mode 100644
index 24862fe..ae059f8
*** a/doc/src/sgml/release-9.4.sgml
--- b/doc/src/sgml/release-9.4.sgml
***************
*** 616,632 ****
</para>
<para>
! Such keys are faster and have improved security over previous
! options. The new configuration
! parameter <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link>
! controls which curve is used.
</para>
</listitem>
<listitem>
<para>
Improve the default <link
! linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> ciphers
(Marko Kreen)
</para>
</listitem>
--- 616,633 ----
</para>
<para>
! This allows use of Elliptic Curve keys for server authentication.
! Such keys are faster and have improved security over <acronym>RSA</> keys.
! The new configuration parameter
! <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link>
! controls which curve is used for <acronym>ECDH</>.
</para>
</listitem>
<listitem>
<para>
Improve the default <link
! linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> value
(Marko Kreen)
</para>
</listitem>
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
