| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Pavel Raiskup <praiskup(at)redhat(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] configure-time knob to set default ssl ciphers |
| Date: | 2017-02-07 16:21:37 |
| Message-ID: | 16291.1486484497@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Pavel Raiskup <praiskup(at)redhat(dot)com> writes:
> PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default,
> but what Fedora would like to have is 'PROFILE=SYSTEM' (works with
> Fedora-patched OpenSSL, so please don't waste your time with checking this
> elsewhere).
> ...
> I'd like to propose the attached patch, so we could (without downstream
> patching) do
> $ ./configure ... --with-openssl-be-ciphers=PROFILE=SYSTEM
Meh. This is pretty far from a complete patch: it introduces an
undocumented configure switch, and it changes the default value for a GUC
without fixing either the corresponding SGML documentation or the
postgresql.conf.sample line for it.
While it would surely be possible to build all the infrastructure to make
that work right, I'm not really sure that we want to carry around that
much baggage for a single-system hack.
A compromise that might be worth considering is to introduce
#define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
into pg_config_manual.h, which would at least give you a reasonably
stable target point for a long-lived patch.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Emre Hasegeli | 2017-02-07 16:25:48 | Re: Press Release Draft - 2016-02-09 Cumulative Update |
| Previous Message | Joel Jacobson | 2017-02-07 16:16:51 | Re: Idea on how to simplify comparing two sets |