Re: [PATCHES] Backend SSL configuration enhancement

On 2006.08.31 at 10:34:02 +0200, Peter Eisentraut wrote:

> Am Donnerstag, 31. August 2006 11:29 schrieb Stefan Kaltenbrunner:
> > this is btw. something that is available in most daemons utilizing
> > openssl - one can disable weak ciphers (which might not even be known as
> > weak at the time the defaults where set) or ciphers not authorized for
> > certain usage scenarios by this means.
>
> In that case I'd expect to edit some central openssl configuration file to
> turn off the offending methods in one central place.

There is no such functionality in OpenSSL configuration file.
Moreover, other SSL applications such as Apache, use more fine-grained
apporoach - use different ciphersuite settings for virtual hosts and
even particular web pages.

Cipher strength is quantitive characteristic. In some cases same cipher
can be strong enough, and in some - not.

I can imagine scenarios where different databases or even different
roles in the same database would require different strength of cipher.

For example, user with read-only access to tables (say web server,
visualizing data) can connect without encryption at all, user with
update/insert permissions - with 128-bit encryption, and database
superuser - only with 256-bit.

But I don't think that implementation of such flexibility would be
neccessary until there would be certificate based database
authentication.