On 10/06/2016 10:26 PM, Christoph Berg wrote:
> Re: Heikki Linnakangas 2016-10-06 <fd6eb3cc-1585-1469-fd9e-763f8e410b19@iki.fi>
>> I propose the attached patch. It gives up on trying to deal with multiple
>> key lengths (as noted earlier, OpenSSL just always passed keylength=1024, so
>> that was useless). Instead of using the callback, it just sets fixed DH
>> parameters with SSL_CTX_set_tmp_dh(), like we do for the ECDH curve. The DH
>> parameters are loaded from a file called "dh_params.pem" (instead of
>> "dh1024.pem"), if present, otherwise the built-in 2048 bit parameters are
>> used.
>
> Shouldn't this be a GUC pointing to a configurable location like
> ssl_cert_file? This way, people reading the security section of the
> default postgresql.conf would notice that there's something (new) to
> configure. (And I wouldn't want to start creating symlinks from PGDATA
> to /etc/ssl/something again...)
Perhaps. The DH parameters are not quite like other configuration files,
though. The actual parameters used don't matter, you just want to
generate different parameters for every cluster. The key length of the
parameters can be considered configuration, though.
- Heikki
