Skip site navigation (1) Skip section navigation (2)

Re: Backend SSL configuration enhancement

From: "Victor B(dot) Wagner" <vitus(at)cryptocom(dot)ru>
To: pgsql-patches(at)postgresql(dot)org
Subject: Re: Backend SSL configuration enhancement
Date: 2006-08-30 16:31:59
Message-ID: 20060830163159.GC29947@cryptocom.ru (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
On 2006.08.30 at 10:14:02 -0400, Tom Lane wrote:

> "Victor B. Wagner" <vitus(at)cryptocom(dot)ru> writes:
> > This patch adds two new configuration diretives to postgresql.conf file
> > 1. ssl_ciphers  - allows server administrator to  specify set of SSL
> > ciphersuites which can be used by clients to connect  the server.
> > 2. ssl_engine - allows  to specify loadable crypto engin (i.e. hardware
> > crypto accelerator support) to use.
> 
> Why are either of these useful?  What are the compatibility implications

First one is useful if for some reason some ciphers supported by OpenSSL 
is not permitted to use in the particular network, or if there is need
to use ciphersuites which are not included into default ciphersuite
list, now compiled into PostgreSQL.  

It might be requirement of enhanced security, or some national standards requirement.

Or vice versa - people might want client certificates for
authentication, but avoid encryption for performance reasons.

Second one can be used for taking cryptography load from server into
special hardware chip, which can be useful for loaded servers.
Also, upcoming OpenSSL 0.9.9 allows to add entirely new cryptographic
algorithms via engines, so engine support allows to use algorithms,
i.e. national standards, which are not supported in the OpenSSL core.

We have developed this patch in order to use Russian GOST algorithms
for SSL connections.
> of changing them?  Does the addition of the engine-load code break
> compatibility with older OpenSSL releases?

Engines have appeared in OpenSSL quite a long ago. Version 0.9.7 already
supports them. So, compatibility is broken only with 0.9.6 and eariler
which have numerous other problems anyway.

I can recheck my patch and add conditional compilation around engine
loading code to be sure that it doesn't break compatiblity with 0.9.6,
just ignores ssl_engine keyword if underlying OpenSSL doesn't support
engines.



In response to

Responses

pgsql-hackers by date

Next:From: Chris BrowneDate: 2006-08-30 16:48:55
Subject: Re: [COMMITTERS] pgsql: Second try committing the path changes.
Previous:From: Tom LaneDate: 2006-08-30 16:01:25
Subject: Re: Updatable views

pgsql-patches by date

Next:From: Jim C. NasbyDate: 2006-08-30 16:50:37
Subject: Re: [HACKERS] Updatable views
Previous:From: Tom LaneDate: 2006-08-30 16:01:25
Subject: Re: Updatable views

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group