On Fri, May 12, 2006 at 06:39:44PM -0400, Tom Lane wrote: > Michael Fuhr <[EMAIL PROTECTED]> writes: > > If $PGDATA/dh1024.pem exists and if SSL connections are enabled, > > then each SSL connection logs the following: > > DH_check error (dh1024.pem): No SSL error reported > > The backend then loads the hardcoded parameters. The SSL connection > > works, but with DH parameters other than intended. > > So it's not that surprising that no one noticed it was broken :-(
Incidentally, is it necessary to load the DH parameters anew and call DH_check for every connection? The parameters don't change and DH_check is fairly expensive: checking a 1024-bit parameter on a 500MHz Pentium III takes about 260ms, which can be a significant portion of the SSL handshake. The expense is probably negligible on fast hardware but on older systems it makes connect times noticeably slow (one of my test boxes is a 143MHz sparc Ultra 1; DH_check takes almost 2 sec). -- Michael Fuhr ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
