Re: libpq compression - Mailing list pgsql-hackers
| From | Magnus Hagander |
|---|---|
| Subject | Re: libpq compression |
| Date | |
| Msg-id | CABUevEybu+v7zcsM8qtOEFdQ95njyK=ERjVbdMAe3c7T2Ut6JA@mail.gmail.com Whole thread Raw |
| In response to | Re: libpq compression (Florian Pflug <fgp@phlo.org>) |
| Responses |
Re: libpq compression
|
| List | pgsql-hackers |
On Wed, Jun 20, 2012 at 12:35 PM, Florian Pflug <fgp@phlo.org> wrote: > On Jun19, 2012, at 17:36 , Robert Haas wrote: >> On Mon, Jun 18, 2012 at 1:42 PM, Martijn van Oosterhout >> <kleptog@svana.org> wrote: >>> On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote: >>>> The fly in the ointment with any of these ideas is that the "configure >>>> list" is not a list of exact cipher names, as per Magnus' comment that >>>> the current default includes tests like "!aNULL". I am not sure that >>>> we know how to evaluate such conditions if we are applying an >>>> after-the-fact check on the selected cipher. Does OpenSSL expose any >>>> API for evaluating whether a selected cipher meets such a test? >>> >>> I'm not sure whether there's an API for it, but you can certainly check >>> manually with "openssl ciphers -v", for example: >>> >>> $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' >>> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 >>> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 >>> >>> ...etc... >>> >>> So unless the openssl includes the code twice there must be a way to >>> extract the list from the library. >> >> There doubtless is, but I'd being willing to wager that you won't be >> able to figure out the exact method without reading the source code >> for 'opennssl ciphers' to see how it was done there, and most likely >> you'll find that at least one of the functions they use has no man >> page. Documentation isn't their strong point. > > Yes, unfortunately. > > I wonder though if shouldn't restrict the allowed ciphers list to being > a simple list of supported ciphers. If our goal is to support multiple > SSL libraries transparently then surely having openssl-specific syntax > in the config file isn't exactly great anyway... That is a very good point. Before we design *another* feature that relies on it, we should verify if the syntax is compatible in the other libraries that would be interesting (gnutls and NSS primarily), and if it's not that at least the *functionality* exists ina compatible way. So we don't put ourselves in a position where we can't proceed. And yes, that's vapourware so far. But I know at least Claes (added to CC) has said he wants to work on it during this summer, and I've promised to help him out and review as well, if/when he gets that far. But even without that, we should try to keep the door to these other library implementations as open as possible. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
pgsql-hackers by date: