Re: libpq compression
Florian G. Pflug <fgp@phlo.org>
From: Florian Pflug <fgp@phlo.org>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Martijn van Oosterhout <kleptog@svana.org>, Tom Lane <tgl@sss.pgh.pa.us>, Magnus Hagander <magnus@hagander.net>, Euler Taveira <euler@timbira.com>, Bruce Momjian <bruce@momjian.us>, Pgsql Hackers <pgsql-hackers@postgresql.org>
Date: 2012-06-20T10:35:29Z
Lists: pgsql-hackers
On Jun19, 2012, at 17:36 , Robert Haas wrote: > On Mon, Jun 18, 2012 at 1:42 PM, Martijn van Oosterhout > <kleptog@svana.org> wrote: >> On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote: >>> The fly in the ointment with any of these ideas is that the "configure >>> list" is not a list of exact cipher names, as per Magnus' comment that >>> the current default includes tests like "!aNULL". I am not sure that >>> we know how to evaluate such conditions if we are applying an >>> after-the-fact check on the selected cipher. Does OpenSSL expose any >>> API for evaluating whether a selected cipher meets such a test? >> >> I'm not sure whether there's an API for it, but you can certainly check >> manually with "openssl ciphers -v", for example: >> >> $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' >> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 >> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 >> >> ...etc... >> >> So unless the openssl includes the code twice there must be a way to >> extract the list from the library. > > There doubtless is, but I'd being willing to wager that you won't be > able to figure out the exact method without reading the source code > for 'opennssl ciphers' to see how it was done there, and most likely > you'll find that at least one of the functions they use has no man > page. Documentation isn't their strong point. Yes, unfortunately. I wonder though if shouldn't restrict the allowed ciphers list to being a simple list of supported ciphers. If our goal is to support multiple SSL libraries transparently then surely having openssl-specific syntax in the config file isn't exactly great anyway... best regards, Florian Pflug