Peter Eisentraut <[EMAIL PROTECTED]> writes: > In that case I'd expect to edit some central openssl configuration file to > turn off the offending methods in one central place.
I concur with this in the abstract: it would be better design to submit something to the OpenSSL project to allow setting engine choices and such site-wide. In the short term, though, it's hard to deny that our code if (SSL_CTX_set_cipher_list(SSL_context, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1) is pretty ad-hoc and looks exactly like the sort of thing someone might want to adjust. I'm willing to accept the part of the patch that makes that string into a GUC variable, until such time as OpenSSL provides a way to configure itself site-wide so that we can remove this code entirely. I'm not eager to accept the other part of the patch. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings