Postgres Pro
Downloads
Home   >   mailing lists

Re: Backend SSL configuration enhancement - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: Backend SSL configuration enhancement
Date
Msg-id 200609022358.k82NwZR08070@momjian.us
Whole thread Raw
In response to Re: Backend SSL configuration enhancement  ("Victor B. Wagner" <vitus@cryptocom.ru>)
Responses Re: Backend SSL configuration enhancement  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-patches
Tree view 
This has been saved for the 8.3 release:

    http://momjian.postgresql.org/cgi-bin/pgpatches_hold

---------------------------------------------------------------------------

Victor B. Wagner wrote:
> On 2006.08.30 at 10:14:02 -0400, Tom Lane wrote:
>
> > "Victor B. Wagner" <vitus@cryptocom.ru> writes:
> > > This patch adds two new configuration diretives to postgresql.conf file
> > > 1. ssl_ciphers  - allows server administrator to  specify set of SSL
> > > ciphersuites which can be used by clients to connect  the server.
> > > 2. ssl_engine - allows  to specify loadable crypto engin (i.e. hardware
> > > crypto accelerator support) to use.
> >
> > Why are either of these useful?  What are the compatibility implications
>
> First one is useful if for some reason some ciphers supported by OpenSSL
> is not permitted to use in the particular network, or if there is need
> to use ciphersuites which are not included into default ciphersuite
> list, now compiled into PostgreSQL.
>
> It might be requirement of enhanced security, or some national standards requirement.
>
> Or vice versa - people might want client certificates for
> authentication, but avoid encryption for performance reasons.
>
> Second one can be used for taking cryptography load from server into
> special hardware chip, which can be useful for loaded servers.
> Also, upcoming OpenSSL 0.9.9 allows to add entirely new cryptographic
> algorithms via engines, so engine support allows to use algorithms,
> i.e. national standards, which are not supported in the OpenSSL core.
>
> We have developed this patch in order to use Russian GOST algorithms
> for SSL connections.
> > of changing them?  Does the addition of the engine-load code break
> > compatibility with older OpenSSL releases?
>
> Engines have appeared in OpenSSL quite a long ago. Version 0.9.7 already
> supports them. So, compatibility is broken only with 0.9.6 and eariler
> which have numerous other problems anyway.
>
> I can recheck my patch and add conditional compilation around engine
> loading code to be sure that it doesn't break compatiblity with 0.9.6,
> just ignores ssl_engine keyword if underlying OpenSSL doesn't support
> engines.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
>                http://archives.postgresql.org

--
  Bruce Momjian   bruce@momjian.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

pgsql-patches by date:

Previous
From: "Jim C. Nasby"
Date:
Subject: Re: [HACKERS] DOC: catalog.sgml
Next
From: Bruce Momjian
Date:
Subject: Re: [HACKERS] extension for sql update