|
408 | 408 |
|
409 | 409 | <listitem> |
410 | 410 | <!-- |
| 411 | +2017-07-31 [c0a15e07c] Always use 2048 bit DH parameters for OpenSSL ephemeral |
| 412 | +--> |
| 413 | + <para> |
| 414 | + Add configuration option <xref linkend="guc-ssl-dh-params-file"> to |
| 415 | + specify filename for custom OpenSSL DH parameters (Heikki Linnakangas) |
| 416 | + </para> |
| 417 | + |
| 418 | + <para> |
| 419 | + This replaces the hardcoded, undocumented <filename>dh1024.pem</> |
| 420 | + filename. Note that <filename>dh1024.pem</> is no longer used by default; |
| 421 | + you must set the option to use custom DH parameters. |
| 422 | + </para> |
| 423 | + </listitem> |
| 424 | + |
| 425 | + <listitem> |
| 426 | +<!-- |
| 427 | +2017-07-31 [c0a15e07c] Always use 2048 bit DH parameters for OpenSSL ephemeral |
| 428 | +--> |
| 429 | + <para> |
| 430 | + Increase the size of DH parameters used for OpenSSL ephemeral DH ciphers |
| 431 | + to 2048 bits (Heikki Linnakangas) |
| 432 | + </para> |
| 433 | + |
| 434 | + <para> |
| 435 | + The size of the compiled-in DH parameters has been increased from 1024 |
| 436 | + to 2048 bits, making DH key exchange more resistent to a brute-force |
| 437 | + attack. However, some old SSL implementations, notably some revisions of |
| 438 | + Java Runtime Environment version 6, will not accept DH parameters longer |
| 439 | + than 1024 bits, and will not be able to connect over SSL. As a |
| 440 | + work-around, you can use custom 1024-bit DH parameters, instead of the |
| 441 | + compiled-in defaults. See <xref linkend="guc-ssl-dh-params-file"> for |
| 442 | + information on using custom DH parameters. |
| 443 | + </para> |
| 444 | + </listitem> |
| 445 | + |
| 446 | + <listitem> |
| 447 | +<!-- |
411 | 448 | 2017-02-13 [7ada2d31f] Remove contrib/tsearch2. |
412 | 449 | --> |
413 | 450 | <para> |
|