On Sun, Jun 17, 2012 at 11:42 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> Is there a reason why we don't have a parameter on the client
>> mirroring ssl_ciphers?
>
> Dunno, do we need one? I am not sure what the cipher negotiation process
> looks like or which side has the freedom to choose.
I haven't looked into the details, but it seems reasonable that
*either* side should be able to at least define a list of ciphers it
*doens't* want to talk with.
Do we need it - well, it makes sense for the client to be able to say
"I won't trust 56-bit encryption" before it sends over the password,
imo..
>> That, or just have DEFAULT as being the default (which in current
>> openssl means ALL:!aNULL:!eNULL.
>
> If our default isn't the same as the underlying default, I have to
> question why not.
Yeah, that's exaclty what I'm questioning here..
> But are you sure this "!" notation will work with
> all openssl versions?
Uh. We have the ! notation in our default *now*. What openssl also
supports is the text "DEFAULT", which is currently the equivalent of
"ALL!aNULL!eNULL". The question, which is valid of course, should be
if "DEFAULT" works with all openssl versions.
It would seem reasonable it does, but I haven't investigated.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/