Re: Disable OpenSSL compression

On Thursday, November 10, 2011, Andrew Dunstan wrote:

>
>
> On 11/08/2011 12:39 PM, Tom Lane wrote:
>
>> Jeroen Vermeulen<jtv(at)xs4all(dot)nl> writes:
>>
>>> Another reason why I believe compression is often used with encryption
>>> is to maximize information content per byte of data: harder to guess,
>>> harder to crack. Would that matter?
>>>
>> Yes, it would. There's a reason why the OpenSSL default is what it is.
>>
>>
>>
>
>
> An interesting data point on this is that RedHat's nss_compat_ossl package
> doesn't support SSL compression at all <http://fedoraproject.org/**
> wiki/Nss_compat_ossl <http://fedoraproject.org/wiki/Nss_compat_ossl>>,
> and it's supposed to be a path to FIPS 140 compliance: <
> http://fedoraproject.org/**wiki/FedoraCryptoConsolidation<http://fedoraproject.org/wiki/FedoraCryptoConsolidation>
> **>. The latter URL, incidentally, contains a lot of good information,
> and lays out many of the reasons why I'd like to see us support NSS as an
> alternative to OpenSSL, notwithstanding the supposed dirtiness of its API.
> I imagine this would be of interest to commercial Postgres vendors also.

Interesting points. I hadn't really considered it from the FIPS perspective.

I thought the main idea was that if we want to support another one it's
probably going to be GnuTLS because that one offers key-file-compatibility
with OpenSSL, which NSS doesnät.

//Magnus

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/