Re: [PATCHES] Backend SSL configuration enhancement

From: "Victor B(dot) Wagner" <vitus(at)cryptocom(dot)ru>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [PATCHES] Backend SSL configuration enhancement
Date: 2006-08-31 09:19:44
Message-ID: 20060831091944.GC9731@cryptocom.ru
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-hackers pgsql-patches

On 2006.08.31 at 10:34:02 +0200, Peter Eisentraut wrote:

> Am Donnerstag, 31. August 2006 11:29 schrieb Stefan Kaltenbrunner:
> > this is btw. something that is available in most daemons utilizing
> > openssl - one can disable weak ciphers (which might not even be known as
> > weak at the time the defaults where set) or ciphers not authorized for
> > certain usage scenarios by this means.
>
> In that case I'd expect to edit some central openssl configuration file to
> turn off the offending methods in one central place.

There is no such functionality in OpenSSL configuration file.
Moreover, other SSL applications such as Apache, use more fine-grained
apporoach - use different ciphersuite settings for virtual hosts and
even particular web pages.

Cipher strength is quantitive characteristic. In some cases same cipher
can be strong enough, and in some - not.

I can imagine scenarios where different databases or even different
roles in the same database would require different strength of cipher.

For example, user with read-only access to tables (say web server,
visualizing data) can connect without encryption at all, user with
update/insert permissions - with 128-bit encryption, and database
superuser - only with 256-bit.

But I don't think that implementation of such flexibility would be
neccessary until there would be certificate based database
authentication.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Stefan Kaltenbrunner 2006-08-31 09:29:38 Re: [PATCHES] Backend SSL configuration enhancement
Previous Message Bernd Helmle 2006-08-31 09:02:14 Re: Updatable views

Browse pgsql-patches by date

  From Date Subject
Next Message Stefan Kaltenbrunner 2006-08-31 09:29:38 Re: [PATCHES] Backend SSL configuration enhancement
Previous Message Bernd Helmle 2006-08-31 09:02:14 Re: Updatable views