From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeroen Vermeulen <jtv(at)xs4all(dot)nl>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Marko Kreen <markokr(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Disable OpenSSL compression |
Date: | 2011-11-10 14:47:57 |
Message-ID: | CABUevEzoPV0PjvW7FPYyTfg5+WX79eK36SG6gFaBQhs42b4bSA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thursday, November 10, 2011, Andrew Dunstan wrote:
>
>
> On 11/08/2011 12:39 PM, Tom Lane wrote:
>
>> Jeroen Vermeulen<jtv(at)xs4all(dot)nl> writes:
>>
>>> Another reason why I believe compression is often used with encryption
>>> is to maximize information content per byte of data: harder to guess,
>>> harder to crack. Would that matter?
>>>
>> Yes, it would. There's a reason why the OpenSSL default is what it is.
>>
>>
>>
>
>
> An interesting data point on this is that RedHat's nss_compat_ossl package
> doesn't support SSL compression at all <http://fedoraproject.org/**
> wiki/Nss_compat_ossl <http://fedoraproject.org/wiki/Nss_compat_ossl>>,
> and it's supposed to be a path to FIPS 140 compliance: <
> http://fedoraproject.org/**wiki/FedoraCryptoConsolidation<http://fedoraproject.org/wiki/FedoraCryptoConsolidation>
> **>. The latter URL, incidentally, contains a lot of good information,
> and lays out many of the reasons why I'd like to see us support NSS as an
> alternative to OpenSSL, notwithstanding the supposed dirtiness of its API.
> I imagine this would be of interest to commercial Postgres vendors also.
Interesting points. I hadn't really considered it from the FIPS perspective.
I thought the main idea was that if we want to support another one it's
probably going to be GnuTLS because that one offers key-file-compatibility
with OpenSSL, which NSS doesnät.
//Magnus
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2011-11-10 15:05:51 | Re: Re: [patch] Include detailed information about a row failing a CHECK constraint into the error message |
Previous Message | Kääriäinen Anssi | 2011-11-10 14:27:57 | Re: Re: [patch] Include detailed information about a row failing a CHECK constraint into the error message |