On Sat, May 17, 2014 at 10:36:59PM +0300, Marko Kreen wrote:
> - Clarify ECDH decription in release notes.
> - Fix default value - it's 'prime256v1'.
> - List curves with good cross-platform support explicitly
> (NIST P-256 / P-384 / P-521).
>
> The -list_curves output is full of garbage, it's hard to know which
> ones make sense to use. Only those three curves are supported
> cross-platform - OpenSSL/Java/Windows - so list them explicitly.
>
> Only reason to tune this value is changing overall security
> level up/down, so now this can be done safely and quickly.
>
> Only upwards though. We could also list here NIST P-192/P-224
> (prime192v1, secp224r1), but those are not supported by Windows.
> And prime256v1 is quite fast already.
>
> In the future it might make philosophical sense to list
> also Brainpool curves (RFC7027), or some new curves from
> http://safecurves.cr.yp.to/ when they are brought to TLS.
> But currently only NIST/NSA curves are working option,
> so let's keep it simple for users.
Attached patch applied. I shortened the release note description.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +