Florian Pflug <fgp@phlo.org> writes:
> Would we still tell openssl to only negotiate ciphers in the configured
> list of available ciphers + NULL? If not, what happens if a connection
> happens to use a cipher that is actually stronger than any cipher on
> the "list of acceptable ciphers" list? The DBA wouldn't necessarily be
> aware that such a cipher even exists, since it could have been made
> available by an openssl upgrade
So? If the DBA has gone so far as to list specific ciphers, who are
we to second guess his judgment? It's not for us to decide that cipher
X is "stronger" than the ones he listed.
> But if we restrict the negotiable ciphers to the configure list + NULL,
> then we're good I think.
The fly in the ointment with any of these ideas is that the "configure
list" is not a list of exact cipher names, as per Magnus' comment that
the current default includes tests like "!aNULL". I am not sure that
we know how to evaluate such conditions if we are applying an
after-the-fact check on the selected cipher. Does OpenSSL expose any
API for evaluating whether a selected cipher meets such a test?
regards, tom lane