Re: DH_check return value test correct? - Mailing list pgsql-hackers

From Martijn van Oosterhout
Subject Re: DH_check return value test correct?
Date
Msg-id 20060513091027.GJ12955@svana.org
Whole thread Raw
In response to Re: DH_check return value test correct?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Fri, May 12, 2006 at 09:05:55PM -0400, Tom Lane wrote:
> Michael Fuhr <mike@fuhr.org> writes:
> > Incidentally, is it necessary to load the DH parameters anew and
> > call DH_check for every connection?
>
> We could maybe improve on that on Unix, but not so easily on Windows.
> Given the evidently nonexistent demand for this feature, I can't see
> putting any work into it ;-)

To be honest I'm not entirely sure of the benefits of allowing people
to specify the DH params. For the GnuTLS patch I just got the backend
to generate the params on postmaster start because I couldn't think if a
reason why you'd want to either use hard-coded values or user-specified
ones.

They're not security sensetive, knowing them doesn't help you crack the
stream. The client simply gets a copy of the server's parameters when
initiating the connection. What they do do it protect the security of
the stream if the private key has been comprimised. So we should use
EDH, but there's still no reason for the user to want to specify the
parameters...

Have a ncie day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

pgsql-hackers by date:

Previous
From: Martijn van Oosterhout
Date:
Subject: Re: [GENERAL] Querying libpq compile time options
Next
From: Albert Cervera Areny
Date:
Subject: Re: Inheritance, Primary Keys and Foreign Keys