Re: [PATCHES] Backend SSL configuration enhancement

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>, pgsql-hackers(at)postgresql(dot)org, "Victor B(dot) Wagner" <vitus(at)cryptocom(dot)ru>
Subject: Re: [PATCHES] Backend SSL configuration enhancement
Date: 2006-08-31 18:36:28
Message-ID: 22421.1157049388@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> In that case I'd expect to edit some central openssl configuration file to
> turn off the offending methods in one central place.

I concur with this in the abstract: it would be better design to submit
something to the OpenSSL project to allow setting engine choices and
such site-wide. In the short term, though, it's hard to deny that our
code

if (SSL_CTX_set_cipher_list(SSL_context, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)

is pretty ad-hoc and looks exactly like the sort of thing someone might
want to adjust. I'm willing to accept the part of the patch that makes
that string into a GUC variable, until such time as OpenSSL provides a
way to configure itself site-wide so that we can remove this code
entirely. I'm not eager to accept the other part of the patch.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Josh Berkus 2006-08-31 18:41:41 Re: Thought provoking piece on NetBSD
Previous Message Bruce Momjian 2006-08-31 18:36:12 Re: [GENERAL] Thought provoking piece on NetBSD

Browse pgsql-patches by date

  From Date Subject
Next Message Tom Lane 2006-08-31 18:45:49 Re: BUG #2600: dblink compile with SSL missing libraries
Previous Message Tom Lane 2006-08-31 18:29:46 Re: [HACKERS] Interval aggregate regression failure