Re: Backend SSL configuration enhancement

From: "Victor B(dot) Wagner" <vitus(at)cryptocom(dot)ru>
To: pgsql-patches(at)postgresql(dot)org
Subject: Re: Backend SSL configuration enhancement
Date: 2006-08-30 16:31:59
Message-ID: 20060830163159.GC29947@cryptocom.ru
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches

On 2006.08.30 at 10:14:02 -0400, Tom Lane wrote:

> "Victor B. Wagner" <vitus(at)cryptocom(dot)ru> writes:
> > This patch adds two new configuration diretives to postgresql.conf file
> > 1. ssl_ciphers - allows server administrator to specify set of SSL
> > ciphersuites which can be used by clients to connect the server.
> > 2. ssl_engine - allows to specify loadable crypto engin (i.e. hardware
> > crypto accelerator support) to use.
>
> Why are either of these useful? What are the compatibility implications

First one is useful if for some reason some ciphers supported by OpenSSL
is not permitted to use in the particular network, or if there is need
to use ciphersuites which are not included into default ciphersuite
list, now compiled into PostgreSQL.

It might be requirement of enhanced security, or some national standards requirement.

Or vice versa - people might want client certificates for
authentication, but avoid encryption for performance reasons.

Second one can be used for taking cryptography load from server into
special hardware chip, which can be useful for loaded servers.
Also, upcoming OpenSSL 0.9.9 allows to add entirely new cryptographic
algorithms via engines, so engine support allows to use algorithms,
i.e. national standards, which are not supported in the OpenSSL core.

We have developed this patch in order to use Russian GOST algorithms
for SSL connections.
> of changing them? Does the addition of the engine-load code break
> compatibility with older OpenSSL releases?

Engines have appeared in OpenSSL quite a long ago. Version 0.9.7 already
supports them. So, compatibility is broken only with 0.9.6 and eariler
which have numerous other problems anyway.

I can recheck my patch and add conditional compilation around engine
loading code to be sure that it doesn't break compatiblity with 0.9.6,
just ignores ssl_engine keyword if underlying OpenSSL doesn't support
engines.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Chris Browne 2006-08-30 16:48:55 Re: [COMMITTERS] pgsql: Second try committing the path changes.
Previous Message Tom Lane 2006-08-30 16:01:25 Re: Updatable views

Browse pgsql-patches by date

  From Date Subject
Next Message Jim C. Nasby 2006-08-30 16:50:37 Re: [HACKERS] Updatable views
Previous Message Tom Lane 2006-08-30 16:01:25 Re: Updatable views