Re: [PATCH] configure-time knob to set default ssl ciphers

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Pavel Raiskup <praiskup(at)redhat(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [PATCH] configure-time knob to set default ssl ciphers
Date: 2017-02-07 16:21:37
Message-ID: 16291.1486484497@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Pavel Raiskup <praiskup(at)redhat(dot)com> writes:
> PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default,
> but what Fedora would like to have is 'PROFILE=SYSTEM' (works with
> Fedora-patched OpenSSL, so please don't waste your time with checking this
> elsewhere).
> ...
> I'd like to propose the attached patch, so we could (without downstream
> patching) do
> $ ./configure ... --with-openssl-be-ciphers=PROFILE=SYSTEM

Meh. This is pretty far from a complete patch: it introduces an
undocumented configure switch, and it changes the default value for a GUC
without fixing either the corresponding SGML documentation or the
postgresql.conf.sample line for it.

While it would surely be possible to build all the infrastructure to make
that work right, I'm not really sure that we want to carry around that
much baggage for a single-system hack.

A compromise that might be worth considering is to introduce

#define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"

into pg_config_manual.h, which would at least give you a reasonably
stable target point for a long-lived patch.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Emre Hasegeli 2017-02-07 16:25:48 Re: Press Release Draft - 2016-02-09 Cumulative Update
Previous Message Joel Jacobson 2017-02-07 16:16:51 Re: Idea on how to simplify comparing two sets