On Thu, Sep 7, 2017 at 10:35 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > I think we might be best off just playing it straight and providing > a config file that contains a section along these lines: > > # Parameters for OpenSSL. Leave these commented out if not using OpenSSL. > # > #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers > #ssl_prefer_server_ciphers = on > #ssl_ecdh_curve = 'prime256v1' > #ssl_dh_params_file = '' > #ssl_cert_file = 'server.crt' > #ssl_key_file = 'server.key' > #ssl_ca_file = '' > #ssl_crl_file = '' > # > # Parameters for GnuTLS. Leave these commented out if not using GnuTLS. > # > #gnufoo=... > #gnubar=... > # > # Parameters for macOS TLS. ... you get the idea. > > As previously noted, it'd be a good idea to rename the existing > ssl_xxx parameters to openssl_xxx, except maybe ones that we think > will be universal. (But even if we do think that, it might be > simpler in the long run to just have three or four totally independent > sections of the config file, instead of some common and some library- > specific parameters.)
+1 to all of that. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
