Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-08 Thread Tom Lane
Alvaro Herrera writes: > Tom Lane wrote: >> If we did have code for multiple libraries, perhaps some people would >> want to compile all the variants at once; in which case overloading a >> single option to be used for all the libraries would be a problem. > Hmm, I

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-08 Thread Alvaro Herrera
Tom Lane wrote: > Daniel Gustafsson writes: > > Since we hopefully will support more SSL libraries than OpenSSL at some > > point, > > and we don’t want a torrent of configure options, wouldn’t this be better as > > --with-server-ciphers=STRING or something similar? > > One

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-08 Thread Tom Lane
Daniel Gustafsson writes: > Since we hopefully will support more SSL libraries than OpenSSL at some point, > and we don’t want a torrent of configure options, wouldn’t this be better as > --with-server-ciphers=STRING or something similar? One of the reasons I'm not very

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-08 Thread Daniel Gustafsson
> On 08 Feb 2017, at 13:31, Pavel Raiskup wrote: > > On Wednesday, February 8, 2017 1:29:19 PM CET Pavel Raiskup wrote: >> On Wednesday, February 8, 2017 1:05:08 AM CET Tom Lane wrote: >>> Peter Eisentraut writes: On 2/7/17 11:21 AM,

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-08 Thread Pavel Raiskup 
On Wednesday, February 8, 2017 1:29:19 PM CET Pavel Raiskup wrote:
> On Wednesday, February 8, 2017 1:05:08 AM CET Tom Lane wrote:
> > Peter Eisentraut  writes:
> > > On 2/7/17 11:21 AM, Tom Lane wrote:
> > >> A compromise that might be worth considering is

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-08 Thread Pavel Raiskup
On Wednesday, February 8, 2017 1:05:08 AM CET Tom Lane wrote: > Peter Eisentraut writes: > > On 2/7/17 11:21 AM, Tom Lane wrote: > >> A compromise that might be worth considering is to introduce > >> #define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL" > >>

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-07 Thread Tom Lane
Peter Eisentraut writes: > On 2/7/17 11:21 AM, Tom Lane wrote: >> A compromise that might be worth considering is to introduce >> #define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL" >> into pg_config_manual.h, which would at least give you a reasonably >>

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-07 Thread Peter Eisentraut
On 2/7/17 11:21 AM, Tom Lane wrote: > A compromise that might be worth considering is to introduce > > #define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL" > > into pg_config_manual.h, which would at least give you a reasonably > stable target point for a long-lived patch. You'd still need

Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-07 Thread Tom Lane
Pavel Raiskup writes: > PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default, > but what Fedora would like to have is 'PROFILE=SYSTEM' (works with > Fedora-patched OpenSSL, so please don't waste your time with checking this > elsewhere). > ... > I'd like to

[HACKERS] [PATCH] configure-time knob to set default ssl ciphers

2017-02-07 Thread Pavel Raiskup
Hi hackers, in Fedora, there's crypto initiative where people try to consolidate ssl cipher settings for (majority of) Fedora services (PostgreSQL is included). PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default, but what Fedora would like to have is 'PROFILE=SYSTEM' (works