| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | "Victor B(dot) Wagner" <vitus(at)cryptocom(dot)ru> |
| Cc: | pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: SSL enhancement patch ver.2 |
| Date: | 2007-02-14 22:13:02 |
| Message-ID: | 200702142213.l1EMD2D27419@momjian.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Victor B. Wagner wrote:
> This patch adds following functionality to PostgreSQL
>
> 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
> both backend and libpq read site-wide OpenSSL configuration file as
> described in OPENSSL_config functon manual page.
>
> This allows to use hardware crypto acceleration modules (engines) and,
> in future version 0.9.9 would allow to use additional cryptoalgorithms
> (i.e. national standards) which are not included in core OpenSSL.
>
> All other configuration parameters which are supported by OpenSSL
> library also are taken into account.
>
>
> 2. New configuration option "ssl_ciphers" is added to postgresql.conf.
> This option allows to change list of ciphers, acceptable by backend
> during SSL connection. Changing list of ciphers can be desirable to
> tighten or relax security of particular installation, and allows quick
> fix on configuration file level in case if vulnerability is discovered
> in one of cryptoalgorithms or their OpenSSL implementation - cipher
> suites which use such algorithm can be easily disabled.
Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control
that from the site-wide OpenSSL configuration file added above?
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2007-02-14 22:33:37 | Re: SSL enhancement patch ver.2 |
| Previous Message | Bruce Momjian | 2007-02-14 21:17:14 | Re: [GENERAL] ISO week dates |