Re: [HACKERS] [PATCH] configure-time knob to set default ssl ciphers

Daniel Gustafsson <daniel@yesql.se> writes:
> Since we hopefully will support more SSL libraries than OpenSSL at some point,
> and we don’t want a torrent of configure options, wouldn’t this be better as
> --with-server-ciphers=STRING or something similar?

One of the reasons I'm not very excited about exposing this as a configure
option is exactly that I'm not sure what happens when we get multiple TLS
library support.  The cipher list we've got at the moment seems like it
is probably OpenSSL-specific (but maybe not?).  If we did have code for
multiple libraries, perhaps some people would want to compile all the
variants at once; in which case overloading a single option to be used for
all the libraries would be a problem.

This would all be a lot clearer if we already had that code, but since
we don't, I'm inclined to be conservative about exposing new features
that make assumptions about how it will be.
        regards, tom lane