On 07/31/2017 02:27 PM, Heikki Linnakangas wrote:
Rebased patch attached, with proposed release notes included. Barring
new objections or arguments, I'll commit this (only) to v10 later today.
Ok, committed for v10. Thanks Nicolas and Damien, and everyone else
involved!
- Heikki
--
Sent vi
On 07/13/2017 11:07 PM, Heikki Linnakangas wrote:
On 07/13/2017 10:13 PM, Robert Haas wrote:
On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane wrote:
Heikki Linnakangas writes:
I don't think this can be backpatched. It changes the default DH
parameters from 1024 bits to 2048 bits. That's a good thin
On 07/13/2017 10:13 PM, Robert Haas wrote:
On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane wrote:
Heikki Linnakangas writes:
I don't think this can be backpatched. It changes the default DH
parameters from 1024 bits to 2048 bits. That's a good thing for
security, but older clients might not support
On Thu, Jul 13, 2017 at 1:30 PM, Tom Lane wrote:
> Heikki Linnakangas writes:
>> I don't think this can be backpatched. It changes the default DH
>> parameters from 1024 bits to 2048 bits. That's a good thing for
>> security, but older clients might not support it, and would refuse to
>> connect
Heikki Linnakangas writes:
> I don't think this can be backpatched. It changes the default DH
> parameters from 1024 bits to 2048 bits. That's a good thing for
> security, but older clients might not support it, and would refuse to
> connect or would fall back to something less secure.
Do we h
On 07/13/2017 01:07 PM, Simon Riggs wrote:
> On 13 July 2017 at 16:32, Heikki Linnakangas wrote:
>> (We dropped the ball back in October, continuing the discussion now)
>>
>> On 10/10/2016 06:24 PM, Heikki Linnakangas wrote:
>>>
>>> On 10/06/2016 10:26 PM, Christoph Berg wrote:
Re: Heikk
On 07/13/2017 08:04 PM, Alvaro Herrera wrote:
Michael Paquier wrote:
On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas wrote:
Objections to committing this now, instead of waiting for v11?
But I am -1 for the sneak part. It is not the time to have a new
feature in 10, the focus is to sta
Re: Alvaro Herrera 2017-07-13 <20170713170402.74uuoivrgd3c6tnw@alvherre.pgsql>
> > > Objections to committing this now, instead of waiting for v11?
> >
> > But I am -1 for the sneak part. It is not the time to have a new
> > feature in 10, the focus is to stabilize.
>
> But if we were treating it
On 13 July 2017 at 16:32, Heikki Linnakangas wrote:
> (We dropped the ball back in October, continuing the discussion now)
>
> On 10/10/2016 06:24 PM, Heikki Linnakangas wrote:
>>
>> On 10/06/2016 10:26 PM, Christoph Berg wrote:
>>>
>>> Re: Heikki Linnakangas 2016-10-06
>>>
I propose th
Michael Paquier wrote:
> On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas wrote:
> > Objections to committing this now, instead of waiting for v11?
>
> But I am -1 for the sneak part. It is not the time to have a new
> feature in 10, the focus is to stabilize.
But if we were treating it as a
On Thu, Jul 13, 2017 at 5:32 PM, Heikki Linnakangas wrote:
> I rebased the patch, did some other clean up of error reporting, and added a
> GUC along those lines, as well as docs. How does this look?
>
> It's late in the release cycle, but it would be nice to sneak this into v10.
> Using weak 1024
(We dropped the ball back in October, continuing the discussion now)
On 10/10/2016 06:24 PM, Heikki Linnakangas wrote:
On 10/06/2016 10:26 PM, Christoph Berg wrote:
Re: Heikki Linnakangas 2016-10-06
I propose the attached patch. It gives up on trying to deal with multiple
key lengths (as note
06.10.2016, 16:52, Heikki Linnakangas kirjoitti:
I propose the attached patch. It gives up on trying to deal with
multiple key lengths (as noted earlier, OpenSSL just always passed
keylength=1024, so that was useless). Instead of using the callback, it
just sets fixed DH parameters with SSL_CTX_s
On 10/06/2016 10:26 PM, Christoph Berg wrote:
Re: Heikki Linnakangas 2016-10-06
I propose the attached patch. It gives up on trying to deal with multiple
key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so
that was useless). Instead of using the callback, it just sets f
Re: Heikki Linnakangas 2016-10-06
> I propose the attached patch. It gives up on trying to deal with multiple
> key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so
> that was useless). Instead of using the callback, it just sets fixed DH
> parameters with SSL_CTX_set_tmp_d
On 10/05/2016 09:57 PM, Heikki Linnakangas wrote:
On 10/05/2016 05:15 PM, Nicolas Guini wrote:
We are working with Postgres 9.3.14 and executing nmap we
found that it is using “weak DH group” (nmap –script ssl-dh-params). Weak =
1024 bits.
Yeah, it seems that we're a bit behind
On 10/05/2016 05:15 PM, Nicolas Guini wrote:
We are working with Postgres 9.3.14 and executing nmap we
found that it is using “weak DH group” (nmap –script ssl-dh-params). Weak =
1024 bits.
Yeah, it seems that we're a bit behind the times on this...
This issue is similar t
Hello everyone,
I sent few days ago to the security DL a mail reporting a vulnerability in
how Postgres is requesting DH params to be used later for encryption
algorithms. So, due to there is no problem sharing with this group, here is
what I sent:
18 matches
Mail list logo
