security notice and clarifications

[magwas]

on choosing the right cipher suite for client key

I should not recommend to use simple DES without any warnings: I'm supposed to be a security professional after all.
As neither me, and presumably nor others in the project really have more time to research the problem and test solutions, I think this warning is the minimum to sleep well.

All Submissions:

• [x ] Have you followed the guidelines in our Contributing document?
• [ x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?

[AppVeyorBot]

✅ Build pgjdbc 1.0.488 completed (commit 09d1680 by @magwas)

[codecov-io]

Codecov Report

Merging #1591 into master will decrease coverage by <.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##             master    #1591      +/-   ##
============================================
- Coverage     68.96%   68.95%   -0.01%     
+ Complexity     3997     3996       -1     
============================================
  Files           179      179              
  Lines         16622    16622              
  Branches       2707     2707              
============================================
- Hits          11463    11462       -1     
  Misses         3905     3905              
- Partials       1254     1255       +1

[davecramer]

@magwas
I have figured out a somewhat simple way to create and use a PKCS#12 file, however it is encrypted using triple DES. I'm not a security expert, but apparently it is also not safe ?
Comments ?

[magwas]

For some reasons I thought that I have already commented on this:
3DES is okayish for maybe a couple of years, but there are settings where it is already unacceptable.
The way to go is high keylength AES.
Cracking simple DES is a matter of $50.

[davecramer]

For some reasons I thought that I have already commented on this:
3DES is okayish for maybe a couple of years, but there are settings where it is already unacceptable.
The way to go is high keylength AES.
Cracking simple DES is a matter of $50.

Sadly the only version of java that supports AES is JDK12. I'll add that to the PR later this week

[magwas]

There should be a way to support state of the art crypto (and it is a shame if the current LTS does not do it). What about integrating BouncyCastle?

[davecramer]

I'd prefer to avoid BC but this may be the only solution. I'll continue to look next week.

[davecramer]

If BC can fix this I'd be more than happy to add it to the dependencies.