On Fri, May 12, 2006 at 09:05:55PM -0400, Tom Lane wrote:
> Michael Fuhr <mike@fuhr.org> writes:
> > Incidentally, is it necessary to load the DH parameters anew and
> > call DH_check for every connection?
>
> We could maybe improve on that on Unix, but not so easily on Windows.
> Given the evidently nonexistent demand for this feature, I can't see
> putting any work into it ;-)
To be honest I'm not entirely sure of the benefits of allowing people
to specify the DH params. For the GnuTLS patch I just got the backend
to generate the params on postmaster start because I couldn't think if a
reason why you'd want to either use hard-coded values or user-specified
ones.
They're not security sensetive, knowing them doesn't help you crack the
stream. The client simply gets a copy of the server's parameters when
initiating the connection. What they do do it protect the security of
the stream if the private key has been comprimised. So we should use
EDH, but there's still no reason for the user to want to specify the
parameters...
Have a ncie day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.