Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> Question for the group: We currently have a number of config settings
> named ssl_*. Some of these are specific to OpenSSL, some are not, namely:
> # general
> ssl
> ssl_dh_params_file
> ssl_cert_file
> ssl_key_file
> ssl_ca_file
> ssl_crl_file
> # OpenSSL
> ssl_ciphers
> ssl_prefer_server_ciphers
> ssl_ecdh_curve
> # GnuTLS (proposed)
> gnutls_priorities
> (effectively a combination of ssl_ciphers and ssl_prefer_server_ciphers)
> Should we rename the OpenSSL-specific settings to openssl_*?
> It think it would be better for clarity, and they are not set very
> commonly, so the user impact would be low.
Yeah, I think only the "general" parameters would be set by very
many people. +1 for renaming the OpenSSL-only parameters.
I don't know too much about the internals here, so looking at your
list, I wonder whether "ssl_dh_params_file" ought to be treated as
implementation-specific too. The other four files seem essential
to any feature-complete implementation, but is that one?
regards, tom lane
