Thread

Commits

  1. doc: Specify when ssl_prefer_server_ciphers was added

  1. Document when ssl_prefer_server_ciphers went in

    Daniel Gustafsson <daniel@yesql.se> — 2024-07-03T09:23:25Z

    In the documentation for ssl_prefer_server_ciphers we only say it's not in
    "older version" but we omit to specify it further.  Since it's a fairly
    important setting for security I think it makes sense to add the version to
    help users, as in the small attached diff (which also adds proper markup in the
    paragraph while in there).
    
    --
    Daniel Gustafsson
    
    
  2. Re: Document when ssl_prefer_server_ciphers went in

    Peter Eisentraut <peter@eisentraut.org> — 2024-07-03T09:49:25Z

    On 03.07.24 11:23, Daniel Gustafsson wrote:
    > In the documentation for ssl_prefer_server_ciphers we only say it's not in
    > "older version" but we omit to specify it further.  Since it's a fairly
    > important setting for security I think it makes sense to add the version to
    > help users, as in the small attached diff (which also adds proper markup in the
    > paragraph while in there).
    
    Looks reasonable to me.
    
    Would it make sense to remove the setting altogether?
    
    
    
    
    
  3. Re: Document when ssl_prefer_server_ciphers went in

    Tom Lane <tgl@sss.pgh.pa.us> — 2024-07-03T16:22:43Z

    Daniel Gustafsson <daniel@yesql.se> writes:
    > In the documentation for ssl_prefer_server_ciphers we only say it's not in
    > "older version" but we omit to specify it further.  Since it's a fairly
    > important setting for security I think it makes sense to add the version to
    > help users, as in the small attached diff (which also adds proper markup in the
    > paragraph while in there).
    
    This could be shortened perhaps:
    
    -        Older PostgreSQL versions do not have this setting and always use the
    +        <productname>PostgreSQL</productname> versions before 9.4 do not have this setting and always use the
    
    			regards, tom lane
    
    
    
    
  4. Re: Document when ssl_prefer_server_ciphers went in

    Daniel Gustafsson <daniel@yesql.se> — 2024-07-03T16:51:57Z

    > On 3 Jul 2024, at 18:22, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > 
    > Daniel Gustafsson <daniel@yesql.se> writes:
    >> In the documentation for ssl_prefer_server_ciphers we only say it's not in
    >> "older version" but we omit to specify it further.  Since it's a fairly
    >> important setting for security I think it makes sense to add the version to
    >> help users, as in the small attached diff (which also adds proper markup in the
    >> paragraph while in there).
    > 
    > This could be shortened perhaps:
    > 
    > -        Older PostgreSQL versions do not have this setting and always use the
    > +        <productname>PostgreSQL</productname> versions before 9.4 do not have this setting and always use the
    
    Good idea, that reads better.
    
    --
    Daniel Gustafsson
    
    
    
    
    
  5. Re: Document when ssl_prefer_server_ciphers went in

    Daniel Gustafsson <daniel@yesql.se> — 2024-07-04T10:17:38Z

    > On 3 Jul 2024, at 11:49, Peter Eisentraut <peter@eisentraut.org> wrote:
    > 
    > On 03.07.24 11:23, Daniel Gustafsson wrote:
    >> In the documentation for ssl_prefer_server_ciphers we only say it's not in
    >> "older version" but we omit to specify it further.  Since it's a fairly
    >> important setting for security I think it makes sense to add the version to
    >> help users, as in the small attached diff (which also adds proper markup in the
    >> paragraph while in there).
    > 
    > Looks reasonable to me.
    
    Thanks, pushed with the wording suggested to Tom downthread.
    
    > Would it make sense to remove the setting altogether?
    
    I wouldn't be opposed to it, I can't think of any legitimate usecase for it
    outside of testing (it's very similar to ssl_max_protocol_version in that
    sense).  On the other hand, it's very little code to carry and removing it
    would cause churn for anyone who has it in their configuration management
    system for provisioning.  Maybe it would make sense to remove it from the
    sample config?
    
    --
    Daniel Gustafsson