Re: [PATCH] configure-time knob to set default ssl ciphers

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Pavel Raiskup <praiskup(at)redhat(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [PATCH] configure-time knob to set default ssl ciphers
Date: 2017-02-08 16:39:58
Message-ID: 3239.1486571998@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> Since we hopefully will support more SSL libraries than OpenSSL at some point,
> and we don’t want a torrent of configure options, wouldn’t this be better as
> --with-server-ciphers=STRING or something similar?

One of the reasons I'm not very excited about exposing this as a configure
option is exactly that I'm not sure what happens when we get multiple TLS
library support. The cipher list we've got at the moment seems like it
is probably OpenSSL-specific (but maybe not?). If we did have code for
multiple libraries, perhaps some people would want to compile all the
variants at once; in which case overloading a single option to be used for
all the libraries would be a problem.

This would all be a lot clearer if we already had that code, but since
we don't, I'm inclined to be conservative about exposing new features
that make assumptions about how it will be.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Pavel Stehule 2017-02-08 16:45:56 Re: GSoC 2017
Previous Message Erik Nordström 2017-02-08 16:25:34 Patch: Avoid precision error in to_timestamp().