From: Marko Kreen <markokr@gmail.com>
Date: Tue, 4 Aug 2015 20:57:39 +0000 (+0300)
Subject: tls: Use "fast" as default cipher shortcut.
X-Git-Tag: pgbouncer_1_7_rc1~44
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3176782cbf4acdbe272b28ff7edaa8b709431125;p=pgbouncer

tls: Use "fast" as default cipher shortcut.

This keeps pgbouncer clean of magic spells for OpenSSL...
---

diff --git a/lib b/lib
index 7177b2a..4460751 160000
--- a/lib
+++ b/lib
@@ -1 +1 @@
-Subproject commit 7177b2af4f65037d19ff193073b06d6347d4b614
+Subproject commit 446075169b32ef0cac09da20abe04a59f09c308c
diff --git a/src/main.c b/src/main.c
index 9495573..983faaa 100644
--- a/src/main.c
+++ b/src/main.c
@@ -31,11 +31,6 @@
 #include <sys/resource.h>
 #endif
 
-#ifndef DEFAULT_TLS_CIPHERS
-/* enable only PFS, deprioritize/remove slower ones */
-#define DEFAULT_TLS_CIPHERS "EECDH+HIGH:EDH+HIGH:+AES256:+SHA256:+SHA384:+SSLv3:+EDH:-CAMELLIA:-3DES:!DSS:!aNULL"
-#endif
-
 static const char usage_str[] =
 "Usage: %s [OPTION]... config.ini\n"
 "  -d, --daemon           Run in background (as a daemon)\n"
@@ -278,7 +273,7 @@ CF_ABS("client_tls_ca_file", CF_STR, cf_client_tls_ca_file, CF_NO_RELOAD, ""),
 CF_ABS("client_tls_cert_file", CF_STR, cf_client_tls_cert_file, CF_NO_RELOAD, ""),
 CF_ABS("client_tls_key_file", CF_STR, cf_client_tls_key_file, CF_NO_RELOAD, ""),
 CF_ABS("client_tls_protocols", CF_STR, cf_client_tls_protocols, CF_NO_RELOAD, "all"),
-CF_ABS("client_tls_ciphers", CF_STR, cf_client_tls_ciphers, CF_NO_RELOAD, DEFAULT_TLS_CIPHERS),
+CF_ABS("client_tls_ciphers", CF_STR, cf_client_tls_ciphers, CF_NO_RELOAD, "fast"),
 CF_ABS("client_tls_dheparams", CF_STR, cf_client_tls_dheparams, CF_NO_RELOAD, "auto"),
 CF_ABS("client_tls_ecdhcurve", CF_STR, cf_client_tls_ecdhecurve, CF_NO_RELOAD, "auto"),
 
@@ -287,7 +282,7 @@ CF_ABS("server_tls_ca_file", CF_STR, cf_server_tls_ca_file, CF_NO_RELOAD, ""),
 CF_ABS("server_tls_cert_file", CF_STR, cf_server_tls_cert_file, CF_NO_RELOAD, ""),
 CF_ABS("server_tls_key_file", CF_STR, cf_server_tls_key_file, CF_NO_RELOAD, ""),
 CF_ABS("server_tls_protocols", CF_STR, cf_server_tls_protocols, CF_NO_RELOAD, "all"),
-CF_ABS("server_tls_ciphers", CF_STR, cf_server_tls_ciphers, CF_NO_RELOAD, DEFAULT_TLS_CIPHERS),
+CF_ABS("server_tls_ciphers", CF_STR, cf_server_tls_ciphers, CF_NO_RELOAD, "fast"),
 
 {NULL}
 };