On Sat, May 17, 2014 at 10:36:59PM +0300, Marko Kreen wrote: > - Clarify ECDH decription in release notes. > - Fix default value - it's 'prime256v1'. > - List curves with good cross-platform support explicitly > (NIST P-256 / P-384 / P-521). > > The -list_curves output is full of garbage, it's hard to know which > ones make sense to use. Only those three curves are supported > cross-platform - OpenSSL/Java/Windows - so list them explicitly. > > Only reason to tune this value is changing overall security > level up/down, so now this can be done safely and quickly. > > Only upwards though. We could also list here NIST P-192/P-224 > (prime192v1, secp224r1), but those are not supported by Windows. > And prime256v1 is quite fast already. > > In the future it might make philosophical sense to list > also Brainpool curves (RFC7027), or some new curves from > http://safecurves.cr.yp.to/ when they are brought to TLS. > But currently only NIST/NSA curves are working option, > so let's keep it simple for users.
Attached patch applied. I shortened the release note description. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml new file mode 100644 index d9e5985..4a666d0 *** a/doc/src/sgml/config.sgml --- b/doc/src/sgml/config.sgml *************** include 'filename' *** 1020,1032 **** </term> <listitem> <para> ! Specifies the name of the curve to use in ECDH key exchanges. The ! default is <literal>prime256p1</>. </para> <para> ! The list of available curves can be shown with the command ! <literal>openssl ecparam -list_curves</literal>. </para> </listitem> </varlistentry> --- 1020,1042 ---- </term> <listitem> <para> ! Specifies the name of the curve to use in ECDH key exchange. ! It needs to be supported by all clients that connect. ! It does not need to be same curve as used by server's ! Elliptic Curve key. The default is <literal>prime256v1</>. </para> <para> ! OpenSSL names for most common curves: ! <literal>prime256v1</> (NIST P-256), ! <literal>secp384r1</> (NIST P-384), ! <literal>secp521r1</> (NIST P-521). ! </para> ! ! <para> ! The full list of available curves can be shown with the command ! <literal>openssl ecparam -list_curves</literal>. Not all of them ! are usable in TLS though. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml new file mode 100644 index 24862fe..ae059f8 *** a/doc/src/sgml/release-9.4.sgml --- b/doc/src/sgml/release-9.4.sgml *************** *** 616,632 **** </para> <para> ! Such keys are faster and have improved security over previous ! options. The new configuration ! parameter <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link> ! controls which curve is used. </para> </listitem> <listitem> <para> Improve the default <link ! linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> ciphers (Marko Kreen) </para> </listitem> --- 616,633 ---- </para> <para> ! This allows use of Elliptic Curve keys for server authentication. ! Such keys are faster and have improved security over <acronym>RSA</> keys. ! The new configuration parameter ! <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link> ! controls which curve is used for <acronym>ECDH</>. </para> </listitem> <listitem> <para> Improve the default <link ! linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> value (Marko Kreen) </para> </listitem>
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers