Mike Rylander wrote: > On Dec 22, 2007 1:04 PM, Tom Lane <[EMAIL PROTECTED]> wrote: > > Peter Eisentraut <[EMAIL PROTECTED]> writes: > > > Wouldn't SSL work over Unix-domain sockets as well? The API only deals > > > with > > > file descriptors. > > > > Hmm ... we've always thought of SSL as being primarily comm security > > and thus useless on a Unix socket, but the mutual authentication aspect > > could come in handy as an answer for this type of threat. Anyone want > > to try this and see if it really works or not? > > > > Does OpenSSL have a mode where it only does mutual auth and not > > encryption? The encryption would be wasted cycles in this scenario, > > so being able to turn it off would be nice. > > > > [EMAIL PROTECTED]:~$ openssl ciphers -v 'NULL' > NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 > NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 > > I see no way to turn off the message digest, but maybe that's just an > added benefit.
So if we set ssl_ciphers in postgresql.conf to: ssl_ciphers = 'NULL-SHA:NULL-MD5' then SSL does client and server machine authentication with no encryption overhead? -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings