From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Euler Taveira <euler(at)timbira(dot)com>, Florian Pflug <fgp(at)phlo(dot)org>, Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: libpq compression |
Date: | 2012-08-30 21:41:57 |
Message-ID: | 20120830214157.GA32350@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sun, Jun 17, 2012 at 11:45:54PM +0800, Magnus Hagander wrote:
> On Sun, Jun 17, 2012 at 11:42 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> >> Is there a reason why we don't have a parameter on the client
> >> mirroring ssl_ciphers?
> >
> > Dunno, do we need one? I am not sure what the cipher negotiation process
> > looks like or which side has the freedom to choose.
>
> I haven't looked into the details, but it seems reasonable that
> *either* side should be able to at least define a list of ciphers it
> *doens't* want to talk with.
>
> Do we need it - well, it makes sense for the client to be able to say
> "I won't trust 56-bit encryption" before it sends over the password,
> imo..
>
>
> >> That, or just have DEFAULT as being the default (which in current
> >> openssl means ALL:!aNULL:!eNULL.
> >
> > If our default isn't the same as the underlying default, I have to
> > question why not.
>
> Yeah, that's exaclty what I'm questioning here..
>
> > But are you sure this "!" notation will work with
> > all openssl versions?
>
> Uh. We have the ! notation in our default *now*. What openssl also
> supports is the text "DEFAULT", which is currently the equivalent of
> "ALL!aNULL!eNULL". The question, which is valid of course, should be
> if "DEFAULT" works with all openssl versions.
>
> It would seem reasonable it does, but I haven't investigated.
Do we want to change our ssl_ciphers default to 'DEFAULT'? Currently it
is 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2012-08-30 21:43:44 | Re: Pg default's verbosity? |
Previous Message | Robert Haas | 2012-08-30 21:40:38 | Re: Fix for gistchoose |