| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | Pavel Raiskup <praiskup(at)redhat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] configure-time knob to set default ssl ciphers |
| Date: | 2017-02-08 06:05:08 |
| Message-ID: | 12505.1486533908@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
> On 2/7/17 11:21 AM, Tom Lane wrote:
>> A compromise that might be worth considering is to introduce
>> #define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
>> into pg_config_manual.h, which would at least give you a reasonably
>> stable target point for a long-lived patch.
> You'd still need to patch postgresql.conf.sample somehow.
Right. The compromise position that I had in mind was to add the
#define in pg_config_manual.h and teach initdb to propagate it into
the installed copy of postgresql.conf, as we've done with other GUCs
with platform-dependent defaults, such as backend_flush_after.
That still leaves the question of what to do with the SGML docs.
We could add some weasel wording to the effect that the default might
be platform-specific, or we could leave the docs alone and expect the
envisioned Red Hat patch to patch config.sgml along with
pg_config_manual.h.
It looks like the xxx_flush_after GUCs aren't exactly fully documented
as to this point, so we have some work to do there too :-(
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kuntal Ghosh | 2017-02-08 06:25:10 | Re: WAL consistency check facility |
| Previous Message | Peter Eisentraut | 2017-02-08 05:44:35 | Re: [PATCH] configure-time knob to set default ssl ciphers |