Noah Misch <noah@leadboat.com> writes:
> On Tue, Jan 01, 2013 at 04:29:35PM +0100, Magnus Hagander wrote:
>> On Thu, Aug 30, 2012 at 11:41 PM, Bruce Momjian <bruce@momjian.us> wrote:
>>> Do we want to change our ssl_ciphers default to 'DEFAULT'? Currently it
>>> is 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'.
>> Did we ever get anywhere with this? Is this a change we want to do for 9.3?
>> Since nobody seems to have come up with a motivation for not following the
>> openssl default, we probably should?
> +1 for doing that. I'm not aware of a PostgreSQL-specific selection criterion
> for SSL cipher suites.
I did a bit of digging in the commit logs. The current default was
introduced in commit 17386ac45345fe38a10caec9d6e63afa3ce31bb9. So far
as I can find, the only discussion leading up to that patch was the
thread starting at
http://archives.postgresql.org/pgsql-interfaces/2003-04/msg00075.php
which only discusses the key renegotiation interval, not anything about
selecting the allowed ciphers. What's more, one might be forgiven for
suspecting that the cipherset string wasn't too carefully researched
after noticing that it wasn't even spelled correctly in that commit.
So +1 for changing it to "DEFAULT" from me, too. There's no reason to
think we know more about this than the OpenSSL authors.
regards, tom lane