Re: libpq compression
Florian G. Pflug <fgp@phlo.org>
From: Florian Pflug <fgp@phlo.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Robert Haas <robertmhaas@gmail.com>, Martijn van Oosterhout <kleptog@svana.org>, Magnus Hagander <magnus@hagander.net>, Euler Taveira <euler@timbira.com>, Bruce Momjian <bruce@momjian.us>, Pgsql Hackers <pgsql-hackers@postgresql.org>
Date: 2012-06-20T15:44:18Z
Lists: pgsql-hackers
On Jun20, 2012, at 17:34 , Tom Lane wrote: > Florian Pflug <fgp@phlo.org> writes: >> I wonder though if shouldn't restrict the allowed ciphers list to being >> a simple list of supported ciphers. If our goal is to support multiple >> SSL libraries transparently then surely having openssl-specific syntax >> in the config file isn't exactly great anyway... > > No, we don't want to go there, because then we'd have to worry about > keeping the default list in sync with what's supported by the particular > version of the particular library we chance to be using. That's about > as far from transparent as you can get. A notation like "DEFAULT" > is really quite ideal for our purposes in that respect. No argument with that, but does that mean we have to allow the full syntax supported by OpenSSL (i.e., those +,-,! prefixes)? Maybe we could map an empty list to DEFAULT and otherwise interpret it as a list of ciphers? It'd make the whole NULL-cipher business easy, because once we know that the cipher specified doesn't contain !NULL (which removes NULL *permanently*), we can simply append NULL to allow "all these ciphers plus NULL". best regards, Florian Pflug