Re: Backend SSL configuration enhancement

On 2006.08.30 at 10:14:02 -0400, Tom Lane wrote:

> "Victor B. Wagner" <vitus@cryptocom.ru> writes:
> > This patch adds two new configuration diretives to postgresql.conf file
> > 1. ssl_ciphers  - allows server administrator to  specify set of SSL
> > ciphersuites which can be used by clients to connect  the server.
> > 2. ssl_engine - allows  to specify loadable crypto engin (i.e. hardware
> > crypto accelerator support) to use.
>
> Why are either of these useful?  What are the compatibility implications

First one is useful if for some reason some ciphers supported by OpenSSL
is not permitted to use in the particular network, or if there is need
to use ciphersuites which are not included into default ciphersuite
list, now compiled into PostgreSQL.

It might be requirement of enhanced security, or some national standards requirement.

Or vice versa - people might want client certificates for
authentication, but avoid encryption for performance reasons.

Second one can be used for taking cryptography load from server into
special hardware chip, which can be useful for loaded servers.
Also, upcoming OpenSSL 0.9.9 allows to add entirely new cryptographic
algorithms via engines, so engine support allows to use algorithms,
i.e. national standards, which are not supported in the OpenSSL core.

We have developed this patch in order to use Russian GOST algorithms
for SSL connections.
> of changing them?  Does the addition of the engine-load code break
> compatibility with older OpenSSL releases?

Engines have appeared in OpenSSL quite a long ago. Version 0.9.7 already
supports them. So, compatibility is broken only with 0.9.6 and eariler
which have numerous other problems anyway.

I can recheck my patch and add conditional compilation around engine
loading code to be sure that it doesn't break compatiblity with 0.9.6,
just ignores ssl_engine keyword if underlying OpenSSL doesn't support
engines.