Postgres Pro
Downloads
Home   >   mailing lists

[PATCH 1/2] SSL: GUC option to prefer server cipher order - Mailing list pgsql-hackers

From Marko Kreen
Subject [PATCH 1/2] SSL: GUC option to prefer server cipher order
Date
Msg-id 1383782378-7342-1-git-send-email-markokr@gmail.com
Whole thread Raw
Responses [PATCH 2/2] SSL: Support ECDH key excange.  (Marko Kreen <markokr@gmail.com>)
Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order  (Alvaro Herrera <alvherre@2ndquadrant.com>)
Re: [PATCH 1/2] SSL: GUC option to prefer server cipher order  (Peter Eisentraut <peter_e@gmx.net>)
List pgsql-hackers
Tree view 
By default OpenSSL (and SSL/TLS in general) lets client cipher
order take priority.  This is OK for browsers where the ciphers
were tuned, but few Postgres client libraries make cipher order
configurable.  So it makes sense to make cipher order in
postgresql.conf take priority over client defaults.

This patch adds setting 'ssl_prefer_server_ciphers' which can be
turned on so that server cipher order is preferred.

The setting SSL_OP_CIPHER_SERVER_PREFERENCE appeared in
OpenSSL 0.9.7 (31 Dec 2002), not sure if #ifdef is required
for conditional compilation.
---
 doc/src/sgml/config.sgml      | 12 ++++++++++++
 src/backend/libpq/be-secure.c |  7 +++++++
 src/backend/utils/misc/guc.c  | 10 ++++++++++
 3 files changed, 29 insertions(+)
Attachment

pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: alter_table regression test problem
Next
From: Marko Kreen
Date:
Subject: [PATCH 2/2] SSL: Support ECDH key excange.