Re: SSL: better default ciphersuite - Mailing list pgsql-hackers

From Robert Haas
Subject Re: SSL: better default ciphersuite
Date
Msg-id CA+Tgmob=HNrFwDLm-kKjbROfAwmLQd8Snre=8taS7PMZ30VpoA@mail.gmail.com
Whole thread Raw
In response to Re: SSL: better default ciphersuite  (James Cloos <cloos@jhcloos.com>)
Responses Re: SSL: better default ciphersuite
List pgsql-hackers
On Sun, Dec 15, 2013 at 5:10 PM, James Cloos <cloos@jhcloos.com> wrote:
> For reference, see:
>
>   https://wiki.mozilla.org/Security/Server_Side_TLS
>
> for the currently suggested suite for TLS servers.
...
> But for pgsql, I'd leave off the !PSK; pre-shared keys may prove useful
> for some.  And RC4, perhaps, also should be !ed.
>
> And if anyone wants Kerberos tls-authentication, one could add
> KRB5-DES-CBC3-SHA, but that is ssl3-only.
>
> Once salsa20-poly1305 lands in openssl, that should be added to the
> start of the list.

I'm starting to think we should just leave this well enough alone.  We
can't seem to find two people with the same idea of what would be
better than what we have now.  And of course the point of making it a
setting in the first place is that each person can set it to whatever
they deem best.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Useless "Replica Identity: NOTHING" noise from psql \d
Next
From: Robert Haas
Date:
Subject: Re: Proposal: variant of regclass