mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-12-21 08:29:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Base the default SSL ciphers on DEFAULT instead of ALL

Browse Source 
It's better to start from what the OpenSSL people consider a good
default and then remove insecure things (low encryption, exportable
encryption and md5 at this point) from that, instead of starting
from everything that exists and remove from that. We trust the
OpenSSL people to make good choices about what the default is.
This commit is contained in:
Magnus Hagander 2013-01-17 15:04:44 +01:00
parent 4eebf1309f
commit bba486f372
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/backend/utils/misc/guc.c
View File

@ -3056,7 +3056,7 @@ static struct config_string ConfigureNamesString[] =
}, },
&SSLCipherSuites, &SSLCipherSuites,
#ifdef USE_SSL #ifdef USE_SSL
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", "DEFAULT:!LOW:!EXP:!MD5:@STRENGTH",
#else #else
"none", "none",
#endif #endif

2
src/backend/utils/misc/postgresql.conf.sample
View File

@ -79,7 +79,7 @@
#authentication_timeout = 1min # 1s-600s #authentication_timeout = 1min # 1s-600s
#ssl = off # (change requires restart) #ssl = off # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers #ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart) # (change requires restart)
#ssl_renegotiation_limit = 512MB # amount of data between renegotiations #ssl_renegotiation_limit = 512MB # amount of data between renegotiations
#ssl_cert_file = 'server.crt' # (change requires restart) #ssl_cert_file = 'server.crt' # (change requires restart)