Re: SSL: better default ciphersuite - Mailing list pgsql-hackers

From Gavin Flower
Subject Re: SSL: better default ciphersuite
Date
Msg-id 52B09C28.9060300@archidevsys.co.nz
Whole thread Raw
In response to Re: SSL: better default ciphersuite  (Bruce Momjian <bruce@momjian.us>)
List pgsql-hackers
On 18/12/13 05:26, Bruce Momjian wrote:
> On Tue, Dec 17, 2013 at 09:51:30AM -0500, Robert Haas wrote:
>> On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cloos@jhcloos.com> wrote:
>>> For reference, see:
>>>
>>>    https://wiki.mozilla.org/Security/Server_Side_TLS
>>>
>>> for the currently suggested suite for TLS servers.
>> ...
>>> But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
>>> for some.  And RC4, perhaps, also should be !ed.
>>>
>>> And if anyone wants Kerberos tls-authentication, one could add
>>> KRB5-DES-CBC3-SHA, but that is ssl3-only.
>>>
>>> Once salsa20-poly1305 lands in openssl, that should be added to the
>>> start of the list.
>> I'm starting to think we should just leave this well enough alone.  We
>> can't seem to find two people with the same idea of what would be
>> better than what we have now.  And of course the point of making it a
>> setting in the first place is that each person can set it to whatever
>> they deem best.
> Yes, I am seeing that too.  Can we agree on one that is _better_ than
> what we have now, even if we can't agree on a _best_ one?
>
Because various security agencies probably have people trying to confuse 
the issue, and acting to discourage strong encryption...

Possibly choose the one computationally most difficult to crack - but 
even then, we don't know what algorithms they are using, which are bound 
to be very sophisticated.

I've a horrible feeling, that I'm not paranoid enough!


Cheers,
Gavin



pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: [bug fix] multibyte messages are displayed incorrectly on the client
Next
From: Heikki Linnakangas
Date:
Subject: Re: Extension Templates S03E11