mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-22 14:32:25 +03:00 
			
		
		
		
	Base the default SSL ciphers on DEFAULT instead of ALL
It's better to start from what the OpenSSL people consider a good default and then remove insecure things (low encryption, exportable encryption and md5 at this point) from that, instead of starting from everything that exists and remove from that. We trust the OpenSSL people to make good choices about what the default is.
This commit is contained in:
		| @@ -3056,7 +3056,7 @@ static struct config_string ConfigureNamesString[] = | |||||||
| 		}, | 		}, | ||||||
| 		&SSLCipherSuites, | 		&SSLCipherSuites, | ||||||
| #ifdef USE_SSL | #ifdef USE_SSL | ||||||
| 		"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", | 		"DEFAULT:!LOW:!EXP:!MD5:@STRENGTH", | ||||||
| #else | #else | ||||||
| 		"none", | 		"none", | ||||||
| #endif | #endif | ||||||
|   | |||||||
| @@ -79,7 +79,7 @@ | |||||||
|  |  | ||||||
| #authentication_timeout = 1min		# 1s-600s | #authentication_timeout = 1min		# 1s-600s | ||||||
| #ssl = off				# (change requires restart) | #ssl = off				# (change requires restart) | ||||||
| #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers | #ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers | ||||||
| 					# (change requires restart) | 					# (change requires restart) | ||||||
| #ssl_renegotiation_limit = 512MB	# amount of data between renegotiations | #ssl_renegotiation_limit = 512MB	# amount of data between renegotiations | ||||||
| #ssl_cert_file = 'server.crt'		# (change requires restart) | #ssl_cert_file = 'server.crt'		# (change requires restart) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user