On Jun19, 2012, at 17:36 , Robert Haas wrote: > On Mon, Jun 18, 2012 at 1:42 PM, Martijn van Oosterhout > <klep...@svana.org> wrote: >> On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote: >>> The fly in the ointment with any of these ideas is that the "configure >>> list" is not a list of exact cipher names, as per Magnus' comment that >>> the current default includes tests like "!aNULL". I am not sure that >>> we know how to evaluate such conditions if we are applying an >>> after-the-fact check on the selected cipher. Does OpenSSL expose any >>> API for evaluating whether a selected cipher meets such a test? >> >> I'm not sure whether there's an API for it, but you can certainly check >> manually with "openssl ciphers -v", for example: >> >> $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' >> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 >> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 >> >> ...etc... >> >> So unless the openssl includes the code twice there must be a way to >> extract the list from the library. > > There doubtless is, but I'd being willing to wager that you won't be > able to figure out the exact method without reading the source code > for 'opennssl ciphers' to see how it was done there, and most likely > you'll find that at least one of the functions they use has no man > page. Documentation isn't their strong point.
Yes, unfortunately. I wonder though if shouldn't restrict the allowed ciphers list to being a simple list of supported ciphers. If our goal is to support multiple SSL libraries transparently then surely having openssl-specific syntax in the config file isn't exactly great anyway... best regards, Florian Pflug -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
