Re: ssl_library parameter

On 6/26/18 17:48, Tom Lane wrote:
> (1) I'm not really clear why we need this.  GUC variables aren't free.
> 
> (2) Are there security issues with exposing this info to everybody?

This functionality was requested in the threads about GnuTLS and other
SSL implementations so that users/admins can determine which SSL
settings are applicable.

I'm not sure about the security impact.  We do expose all the other
ssl_* settings to ordinary users, so if users want to see whether the
server is misconfigured or something like that, they can already do
that.  I think in the context of an SSL connection, the server is not
supposed to be the adversary of the client, so if the server can provide
more information about what it's doing to protect the client's
information, then the better.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services