Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-09-07 Thread Victor Wagner
On 2006.09.04 at 15:46:03 -0400, Bruce Momjian wrote: Tom Lane wrote: Bruce Momjian [EMAIL PROTECTED] writes: This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold This version was withdrawn by the author for rework, no? Right, and the

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-09-07 Thread Martijn van Oosterhout
On Tue, Sep 05, 2006 at 10:17:15AM +0400, Victor Wagner wrote: It's a pity that it's to late for patch to get into 8.2. It means that during all 8.2 lifecycle we'll have to maintain this patch separately. Hmm? After 8.2 releases, if it's ready, it will go straight into CVS at which point it'll

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-09-05 Thread Bruce Momjian
Victor Wagner wrote: On 2006.09.04 at 15:46:03 -0400, Bruce Momjian wrote: Tom Lane wrote: Bruce Momjian [EMAIL PROTECTED] writes: This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold This version was withdrawn by the author

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-09-04 Thread Tom Lane
Bruce Momjian [EMAIL PROTECTED] writes: This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold This version was withdrawn by the author for rework, no? regards, tom lane ---(end of

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-09-04 Thread Bruce Momjian
Tom Lane wrote: Bruce Momjian [EMAIL PROTECTED] writes: This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold This version was withdrawn by the author for rework, no? Right, and the thread in patches_hold shows that. The reason it is in there

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-09-01 Thread Bruno Wolff III
On Thu, Aug 31, 2006 at 12:11:46 +0400, Victor B. Wagner [EMAIL PROTECTED] wrote: It contains !MD5 element, because MD5 digest algorithm was broken about year ago, and PostgreSQL expected to work with versions of OpenSSL which still consider it strong. MD5 wasn't completely broken and I

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Victor B. Wagner
On 2006.08.31 at 00:09:56 +0200, Peter Eisentraut wrote: Victor B. Wagner wrote: First one is useful if for some reason some ciphers supported by OpenSSL is not permitted to use in the particular network, or if there is need to use ciphersuites which are not included into default

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Stefan Kaltenbrunner
Peter Eisentraut wrote: Victor B. Wagner wrote: First one is useful if for some reason some ciphers supported by OpenSSL is not permitted to use in the particular network, or if there is need to use ciphersuites which are not included into default ciphersuite list, now compiled into PostgreSQL.

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Gregory Stark
Victor B. Wagner [EMAIL PROTECTED] writes: One example which can be tested with stock OpenSSL without national cryptography modules is - usage of NULL ciphers. They are not enabled by default, but use of them provides cryptographically strong authentication with client certificates and data

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Victor B. Wagner
On 2006.08.31 at 08:52:08 +0100, Gregory Stark wrote: Victor B. Wagner [EMAIL PROTECTED] writes: One example which can be tested with stock OpenSSL without national cryptography modules is - usage of NULL ciphers. They are not enabled by default, but use of them provides

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Peter Eisentraut
Am Donnerstag, 31. August 2006 11:29 schrieb Stefan Kaltenbrunner: this is btw. something that is available in most daemons utilizing openssl - one can disable weak ciphers (which might not even be known as weak at the time the defaults where set) or ciphers not authorized for certain usage

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Victor B. Wagner
On 2006.08.31 at 10:34:02 +0200, Peter Eisentraut wrote: Am Donnerstag, 31. August 2006 11:29 schrieb Stefan Kaltenbrunner: this is btw. something that is available in most daemons utilizing openssl - one can disable weak ciphers (which might not even be known as weak at the time the

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Tom Lane
Peter Eisentraut [EMAIL PROTECTED] writes: In that case I'd expect to edit some central openssl configuration file to turn off the offending methods in one central place. I concur with this in the abstract: it would be better design to submit something to the OpenSSL project to allow setting

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-31 Thread Victor B. Wagner
On 2006.08.31 at 14:36:28 -0400, Tom Lane wrote: I concur with this in the abstract: it would be better design to submit something to the OpenSSL project to allow setting engine choices and such site-wide. In the short term, though, it's hard to deny that our code if

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-30 Thread Tom Lane
Victor B. Wagner [EMAIL PROTECTED] writes: This patch adds two new configuration diretives to postgresql.conf file 1. ssl_ciphers - allows server administrator to specify set of SSL ciphersuites which can be used by clients to connect the server. 2. ssl_engine - allows to specify loadable

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-30 Thread Andrew Dunstan
Tom Lane wrote: Victor B. Wagner [EMAIL PROTECTED] writes: This patch adds two new configuration diretives to postgresql.conf file 1. ssl_ciphers - allows server administrator to specify set of SSL ciphersuites which can be used by clients to connect the server. 2. ssl_engine - allows to

Re: [HACKERS] [PATCHES] Backend SSL configuration enhancement

2006-08-30 Thread Peter Eisentraut
Victor B. Wagner wrote: First one is useful if for some reason some ciphers supported by OpenSSL is not permitted to use in the particular network, or if there is need to use ciphersuites which are not included into default ciphersuite list, now compiled into PostgreSQL. Do you have specific