Hi hackers,
in Fedora, there's crypto initiative where people try to consolidate ssl
cipher settings for (majority of) Fedora services (PostgreSQL is
included).
PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default,
but what Fedora would like to have is 'PROFILE=SYSTEM' (works with
Fedora-patched OpenSSL, so please don't waste your time with checking this
elsewhere). What that really does is:
kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!EXP:!DES:!RC4:!RC2:!IDEA\
:!SEED:!eNULL:!aNULL:!MD5:!SSLv2
.. but that's just for the record (should be subset of upstream default);
more info in RH bug [1].
I'd like to propose the attached patch, so we could (without downstream
patching) do
$ ./configure ... --with-openssl-be-ciphers=PROFILE=SYSTEM
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1348125
Thanks for considering!
Pavel
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers