This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold
--------------------------------------------------------------------------- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian [EMAIL PROTECTED] EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend