Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Header And Logo

PostgreSQL
| The world's most advanced open source database.

Site Navigation

Search archives
  Advanced Search

Re: [PATCHES] Backend SSL configuration enhancement

  • From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
  • To: Peter Eisentraut <peter_e(at)gmx(dot)net>
  • Cc: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, pgsql-hackers(at)postgresql(dot)org, "Victor B. Wagner" <vitus(at)cryptocom(dot)ru>
  • Subject: Re: [PATCHES] Backend SSL configuration enhancement
  • Date: Thu, 31 Aug 2006 14:36:28 -0400
  • Message-id: <22421.1157049388@sss.pgh.pa.us> <text/plain>
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> In that case I'd expect to edit some central openssl configuration file to 
> turn off the offending methods in one central place.

I concur with this in the abstract: it would be better design to submit
something to the OpenSSL project to allow setting engine choices and
such site-wide.  In the short term, though, it's hard to deny that our
code

    if (SSL_CTX_set_cipher_list(SSL_context, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)

is pretty ad-hoc and looks exactly like the sort of thing someone might
want to adjust.  I'm willing to accept the part of the patch that makes
that string into a GUC variable, until such time as OpenSSL provides a
way to configure itself site-wide so that we can remove this code
entirely.  I'm not eager to accept the other part of the patch.

			regards, tom lane
Home | Main Index | Thread Index

Privacy Policy | About PostgreSQL
Copyright © 1996 – 2012 PostgreSQL Global Development Group