[PATCH 1/2] SSL: GUC option to prefer server cipher order - Mailing list pgsql-hackers

By default OpenSSL (and SSL/TLS in general) lets client cipher
order take priority.  This is OK for browsers where the ciphers
were tuned, but few Postgres client libraries make cipher order
configurable.  So it makes sense to make cipher order in
postgresql.conf take priority over client defaults.

This patch adds setting 'ssl_prefer_server_ciphers' which can be
turned on so that server cipher order is preferred.

The setting SSL_OP_CIPHER_SERVER_PREFERENCE appeared in
OpenSSL 0.9.7 (31 Dec 2002), not sure if #ifdef is required
for conditional compilation.
---
 doc/src/sgml/config.sgml      | 12 ++++++++++++
 src/backend/libpq/be-secure.c |  7 +++++++
 src/backend/utils/misc/guc.c  | 10 ++++++++++
 3 files changed, 29 insertions(+)