| From: | Pavel Raiskup <praiskup(at)redhat(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | [PATCH] configure-time knob to set default ssl ciphers |
| Date: | 2017-02-07 14:55:32 |
| Message-ID: | 1597541.4SyjC8fqHr@nb.usersys.redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi hackers,
in Fedora, there's crypto initiative where people try to consolidate ssl
cipher settings for (majority of) Fedora services (PostgreSQL is
included).
PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default,
but what Fedora would like to have is 'PROFILE=SYSTEM' (works with
Fedora-patched OpenSSL, so please don't waste your time with checking this
elsewhere). What that really does is:
kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!EXP:!DES:!RC4:!RC2:!IDEA\
:!SEED:!eNULL:!aNULL:!MD5:!SSLv2
.. but that's just for the record (should be subset of upstream default);
more info in RH bug [1].
I'd like to propose the attached patch, so we could (without downstream
patching) do
$ ./configure ... --with-openssl-be-ciphers=PROFILE=SYSTEM
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1348125
Thanks for considering!
Pavel
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Allow-setting-distribution-specific-cipher-set.patch | text/x-patch | 4.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Karlsson | 2017-02-07 14:59:32 | Re: 'text' instead of 'unknown' in Postgres 10 |
| Previous Message | Fujii Masao | 2017-02-07 14:53:09 | Re: DROP SUBSCRIPTION and ROLLBACK |