On Jun20, 2012, at 17:34 , Tom Lane wrote: > Florian Pflug <f...@phlo.org> writes: >> I wonder though if shouldn't restrict the allowed ciphers list to being >> a simple list of supported ciphers. If our goal is to support multiple >> SSL libraries transparently then surely having openssl-specific syntax >> in the config file isn't exactly great anyway... > > No, we don't want to go there, because then we'd have to worry about > keeping the default list in sync with what's supported by the particular > version of the particular library we chance to be using. That's about > as far from transparent as you can get. A notation like "DEFAULT" > is really quite ideal for our purposes in that respect.
No argument with that, but does that mean we have to allow the full syntax supported by OpenSSL (i.e., those +,-,! prefixes)? Maybe we could map an empty list to DEFAULT and otherwise interpret it as a list of ciphers? It'd make the whole NULL-cipher business easy, because once we know that the cipher specified doesn't contain !NULL (which removes NULL *permanently*), we can simply append NULL to allow "all these ciphers plus NULL". best regards, Florian Pflug -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers