Pavel Raiskup <prais...@redhat.com> writes: > PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default, > but what Fedora would like to have is 'PROFILE=SYSTEM' (works with > Fedora-patched OpenSSL, so please don't waste your time with checking this > elsewhere). > ... > I'd like to propose the attached patch, so we could (without downstream > patching) do > $ ./configure ... --with-openssl-be-ciphers=PROFILE=SYSTEM
Meh. This is pretty far from a complete patch: it introduces an undocumented configure switch, and it changes the default value for a GUC without fixing either the corresponding SGML documentation or the postgresql.conf.sample line for it. While it would surely be possible to build all the infrastructure to make that work right, I'm not really sure that we want to carry around that much baggage for a single-system hack. A compromise that might be worth considering is to introduce #define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL" into pg_config_manual.h, which would at least give you a reasonably stable target point for a long-lived patch. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers