Обсуждение: ssl_library parameter
Extracted from the GnuTLS thread/patch, here is a patch to add a server-side read-only parameter ssl_library, which currently reports either 'OpenSSL' or an empty string, depending on what SSL library was built with. This is analogous to the libpq function call PQsslAttribute(conn, "library"), but there was no equivalent functionality on the server side. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Вложения
> On 26 Jun 2018, at 11:06, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote: > > Extracted from the GnuTLS thread/patch, here is a patch to add a > server-side read-only parameter ssl_library, which currently reports > either 'OpenSSL' or an empty string, depending on what SSL library was > built with. This is analogous to the libpq function call > PQsslAttribute(conn, "library"), but there was no equivalent > functionality on the server side. Looks good to me, +1 cheers ./daniel
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> Extracted from the GnuTLS thread/patch, here is a patch to add a
> server-side read-only parameter ssl_library, which currently reports
> either 'OpenSSL' or an empty string, depending on what SSL library was
> built with. This is analogous to the libpq function call
> PQsslAttribute(conn, "library"), but there was no equivalent
> functionality on the server side.
(1) I'm not really clear why we need this. GUC variables aren't free.
(2) Are there security issues with exposing this info to everybody?
regards, tom lane
On 6/26/18 17:48, Tom Lane wrote: > (1) I'm not really clear why we need this. GUC variables aren't free. > > (2) Are there security issues with exposing this info to everybody? This functionality was requested in the threads about GnuTLS and other SSL implementations so that users/admins can determine which SSL settings are applicable. I'm not sure about the security impact. We do expose all the other ssl_* settings to ordinary users, so if users want to see whether the server is misconfigured or something like that, they can already do that. I think in the context of an SSL connection, the server is not supposed to be the adversary of the client, so if the server can provide more information about what it's doing to protect the client's information, then the better. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On 26/06/2018 11:49, Daniel Gustafsson wrote: >> Extracted from the GnuTLS thread/patch, here is a patch to add a >> server-side read-only parameter ssl_library, which currently reports >> either 'OpenSSL' or an empty string, depending on what SSL library was >> built with. This is analogous to the libpq function call >> PQsslAttribute(conn, "library"), but there was no equivalent >> functionality on the server side. > > Looks good to me, +1 committed -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services