Mike Rylander wrote:
> On Dec 22, 2007 1:04 PM, Tom Lane <[EMAIL PROTECTED]> wrote:
> > Peter Eisentraut <[EMAIL PROTECTED]> writes:
> > > Wouldn't SSL work over Unix-domain sockets as well? The API only deals
> > > with
> > > file descriptors.
> >
> > Hmm ... we've always thought of SSL as being primarily comm security
> > and thus useless on a Unix socket, but the mutual authentication aspect
> > could come in handy as an answer for this type of threat. Anyone want
> > to try this and see if it really works or not?
> >
> > Does OpenSSL have a mode where it only does mutual auth and not
> > encryption? The encryption would be wasted cycles in this scenario,
> > so being able to turn it off would be nice.
> >
>
> [EMAIL PROTECTED]:~$ openssl ciphers -v 'NULL'
> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
>
> I see no way to turn off the message digest, but maybe that's just an
> added benefit.
So if we set ssl_ciphers in postgresql.conf to:
ssl_ciphers = 'NULL-SHA:NULL-MD5'
then SSL does client and server machine authentication with no
encryption overhead?
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
