Re: Disable OpenSSL compression

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeroen Vermeulen <jtv(at)xs4all(dot)nl>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Marko Kreen <markokr(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Disable OpenSSL compression
Date: 2011-11-10 14:47:57
Message-ID: CABUevEzoPV0PjvW7FPYyTfg5+WX79eK36SG6gFaBQhs42b4bSA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thursday, November 10, 2011, Andrew Dunstan wrote:

>
>
> On 11/08/2011 12:39 PM, Tom Lane wrote:
>
>> Jeroen Vermeulen<jtv(at)xs4all(dot)nl> writes:
>>
>>> Another reason why I believe compression is often used with encryption
>>> is to maximize information content per byte of data: harder to guess,
>>> harder to crack. Would that matter?
>>>
>> Yes, it would. There's a reason why the OpenSSL default is what it is.
>>
>>
>>
>
>
> An interesting data point on this is that RedHat's nss_compat_ossl package
> doesn't support SSL compression at all <http://fedoraproject.org/**
> wiki/Nss_compat_ossl <http://fedoraproject.org/wiki/Nss_compat_ossl>>,
> and it's supposed to be a path to FIPS 140 compliance: <
> http://fedoraproject.org/**wiki/FedoraCryptoConsolidation<http://fedoraproject.org/wiki/FedoraCryptoConsolidation>
> **>. The latter URL, incidentally, contains a lot of good information,
> and lays out many of the reasons why I'd like to see us support NSS as an
> alternative to OpenSSL, notwithstanding the supposed dirtiness of its API.
> I imagine this would be of interest to commercial Postgres vendors also.

Interesting points. I hadn't really considered it from the FIPS perspective.

I thought the main idea was that if we want to support another one it's
probably going to be GnuTLS because that one offers key-file-compatibility
with OpenSSL, which NSS doesnät.

//Magnus

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2011-11-10 15:05:51 Re: Re: [patch] Include detailed information about a row failing a CHECK constraint into the error message
Previous Message Kääriäinen Anssi 2011-11-10 14:27:57 Re: Re: [patch] Include detailed information about a row failing a CHECK constraint into the error message