From: | Florian Pflug <fgp(at)phlo(dot)org> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Martijn van Oosterhout <kleptog(at)svana(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Euler Taveira <euler(at)timbira(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: libpq compression |
Date: | 2012-06-20 10:35:29 |
Message-ID: | 1D8B2B60-F42E-448C-9295-C07FACCF0611@phlo.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Jun19, 2012, at 17:36 , Robert Haas wrote:
> On Mon, Jun 18, 2012 at 1:42 PM, Martijn van Oosterhout
> <kleptog(at)svana(dot)org> wrote:
>> On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote:
>>> The fly in the ointment with any of these ideas is that the "configure
>>> list" is not a list of exact cipher names, as per Magnus' comment that
>>> the current default includes tests like "!aNULL". I am not sure that
>>> we know how to evaluate such conditions if we are applying an
>>> after-the-fact check on the selected cipher. Does OpenSSL expose any
>>> API for evaluating whether a selected cipher meets such a test?
>>
>> I'm not sure whether there's an API for it, but you can certainly check
>> manually with "openssl ciphers -v", for example:
>>
>> $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
>> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
>> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
>>
>> ...etc...
>>
>> So unless the openssl includes the code twice there must be a way to
>> extract the list from the library.
>
> There doubtless is, but I'd being willing to wager that you won't be
> able to figure out the exact method without reading the source code
> for 'opennssl ciphers' to see how it was done there, and most likely
> you'll find that at least one of the functions they use has no man
> page. Documentation isn't their strong point.
Yes, unfortunately.
I wonder though if shouldn't restrict the allowed ciphers list to being
a simple list of supported ciphers. If our goal is to support multiple
SSL libraries transparently then surely having openssl-specific syntax
in the config file isn't exactly great anyway...
best regards,
Florian Pflug
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2012-06-20 10:59:45 | Re: [PATCH 04/16] Add embedded list interface (header only) |
Previous Message | Etsuro Fujita | 2012-06-20 10:31:16 | Re: WIP Patch: Selective binary conversion of CSV file foreign tables |