On 2006.08.31 at 10:34:02 +0200, Peter Eisentraut wrote: > Am Donnerstag, 31. August 2006 11:29 schrieb Stefan Kaltenbrunner: > > this is btw. something that is available in most daemons utilizing > > openssl - one can disable weak ciphers (which might not even be known as > > weak at the time the defaults where set) or ciphers not authorized for > > certain usage scenarios by this means. > > In that case I'd expect to edit some central openssl configuration file to > turn off the offending methods in one central place.
There is no such functionality in OpenSSL configuration file. Moreover, other SSL applications such as Apache, use more fine-grained apporoach - use different ciphersuite settings for virtual hosts and even particular web pages. Cipher strength is quantitive characteristic. In some cases same cipher can be strong enough, and in some - not. I can imagine scenarios where different databases or even different roles in the same database would require different strength of cipher. For example, user with read-only access to tables (say web server, visualizing data) can connect without encryption at all, user with update/insert permissions - with 128-bit encryption, and database superuser - only with 256-bit. But I don't think that implementation of such flexibility would be neccessary until there would be certificate based database authentication. ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly