This has been saved for the 8.3 release:


Victor B. Wagner wrote:
> On 2006.08.30 at 10:14:02 -0400, Tom Lane wrote:
> > "Victor B. Wagner" <[EMAIL PROTECTED]> writes:
> > > This patch adds two new configuration diretives to postgresql.conf file
> > > 1. ssl_ciphers  - allows server administrator to  specify set of SSL
> > > ciphersuites which can be used by clients to connect  the server.
> > > 2. ssl_engine - allows  to specify loadable crypto engin (i.e. hardware
> > > crypto accelerator support) to use.
> > 
> > Why are either of these useful?  What are the compatibility implications
> First one is useful if for some reason some ciphers supported by OpenSSL 
> is not permitted to use in the particular network, or if there is need
> to use ciphersuites which are not included into default ciphersuite
> list, now compiled into PostgreSQL.  
> It might be requirement of enhanced security, or some national standards 
> requirement.
> Or vice versa - people might want client certificates for
> authentication, but avoid encryption for performance reasons.
> Second one can be used for taking cryptography load from server into
> special hardware chip, which can be useful for loaded servers.
> Also, upcoming OpenSSL 0.9.9 allows to add entirely new cryptographic
> algorithms via engines, so engine support allows to use algorithms,
> i.e. national standards, which are not supported in the OpenSSL core.
> We have developed this patch in order to use Russian GOST algorithms
> for SSL connections.
> > of changing them?  Does the addition of the engine-load code break
> > compatibility with older OpenSSL releases?
> Engines have appeared in OpenSSL quite a long ago. Version 0.9.7 already
> supports them. So, compatibility is broken only with 0.9.6 and eariler
> which have numerous other problems anyway.
> I can recheck my patch and add conditional compilation around engine
> loading code to be sure that it doesn't break compatiblity with 0.9.6,
> just ignores ssl_engine keyword if underlying OpenSSL doesn't support
> engines.
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?

  Bruce Momjian   [EMAIL PROTECTED]

  + If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to