On Fri, Jan 23, 2009 at 02:04:21PM -0500, Carol Walter wrote: >>> >>> ssl_ciphers 'ALL:!ADH:!LOW:@STRENGTH' I don't understand this syntax, is it described somewhere to your knowledge. The doc say to see the openssl docs, so I went fishing there. Maybe one of these will work: > openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 ... EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export > Yes, This says "All but ADH and low." I changed this line to just be > ssl_ciphers = 'ALL' . Stopped, started, and re-ran and it still doesn't > connect. The messages in the log file say "cipher or hash unavailable". maybe that means the ALL I guessed is wrong, but idunno, the documentation doesn't say what that string means. > Since the files of the ciphers are definitely on the system, this suggests > that either postgres doesn't know where to find them or the permission on > them are wrong. it should, seems like that would have been handled in your compile pointing to the libs. > The default is > #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL I don't know what this means, these are not listed in the openssl docs that is pointed to. Guess we could go read the pg source and figure out what they do with this config line, maybe. We need a clue here... > how to tell postgres which set of cipher files to use. It's in the OpenSSL > path, but not the complete path. I thinking that is covered in the compile and you are not using the config line to pgs liking, but that's just a guess. Sorry, I can't try this stuff myself, buried in Oracle cruft right now. -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
