Re: [PATCH] configure-time knob to set default ssl ciphers

Tom Lane wrote:
> Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> > Since we hopefully will support more SSL libraries than OpenSSL at some point,
> > and we don’t want a torrent of configure options, wouldn’t this be better as
> > --with-server-ciphers=STRING or something similar?
>
> One of the reasons I'm not very excited about exposing this as a configure
> option is exactly that I'm not sure what happens when we get multiple TLS
> library support. The cipher list we've got at the moment seems like it
> is probably OpenSSL-specific (but maybe not?).

Maybe the list of ciphers is not OpenSSL-specific, but the *syntax* most
likely is. Particularly the abbreviations such as !eNULL and !MD5, etc.

> If we did have code for multiple libraries, perhaps some people would
> want to compile all the variants at once; in which case overloading a
> single option to be used for all the libraries would be a problem.

Hmm, I don't think our abstraction would allow for compiling more than
one at a time. ISTM that all that work has been considering that you'd
choose at most one at compile time. I'm not sure it's useful to have
more than one anyway. If you choose one SSL implementation at configure
time, it's on your head to specify a ssl-ciphers that that
implementation accepts (of course, we would choose a working default if
you don't specify one.)

(I was going to suggest --with-ssl-ciphers but the protocol is called
TLS nowadays, so maybe not a great idea.)

--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services