</listitem>
</varlistentry>
+ <varlistentry id="guc-ssl-prefer-server-ciphers" xreflabel="ssl_prefer_server_ciphers">
+ <term><varname>ssl_prefer_server_ciphers</varname> (<type>boolean</type>)
+ <indexterm>
+ <primary><varname>ssl_prefer_server_ciphers</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies whether to use the server's <acronym>SSL</acronym>
+ cipher preferences, rather than the client's.
+ The default value is false.
+ </para>
+ <para>
+ This parameter can only be set at server start.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</sect2>
NULL, NULL, NULL
},
+ {
+ {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ "Use server's SSL cipher preferences, rather than the client's",
+ CONFIG_VAR_TYPE_BOOL, false, 0
+ },
+ &g_pool_config.ssl_prefer_server_ciphers,
+ false,
+ NULL, NULL, NULL
+ },
+
{
{"check_temp_table", CFGCXT_SESSION, GENERAL_CONFIG,
"Enables temporary table check.",
char *ssl_ca_cert_dir; /* path to directory containing CA
* certificates */
char *ssl_ciphers; /* allowed ssl ciphers */
+ bool ssl_prefer_server_ciphers; /*Use SSL cipher preferences, rather than the client's*/
int64 relcache_expire; /* relation cache life time in seconds */
int relcache_size; /* number of relation cache life entry */
bool check_temp_table; /* enable temporary table check */
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
# Allowed SSL ciphers
# (change requires restart)
+ssl_prefer_server_ciphers = off
+ # Use server's SSL cipher preferences,
+ # rather than the client's
+ # (change requires restart)
#------------------------------------------------------------------------------
# POOLS
#------------------------------------------------------------------------------
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
# Allowed SSL ciphers
# (change requires restart)
+ssl_prefer_server_ciphers = off
+ # Use server's SSL cipher preferences,
+ # rather than the client's
+ # (change requires restart)
#------------------------------------------------------------------------------
# POOLS
#------------------------------------------------------------------------------
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
# Allowed SSL ciphers
# (change requires restart)
+ssl_prefer_server_ciphers = off
+ # Use server's SSL cipher preferences,
+ # rather than the client's
+ # (change requires restart)
#------------------------------------------------------------------------------
# POOLS
#------------------------------------------------------------------------------
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
# Allowed SSL ciphers
# (change requires restart)
+ssl_prefer_server_ciphers = off
+ # Use server's SSL cipher preferences,
+ # rather than the client's
+ # (change requires restart)
#------------------------------------------------------------------------------
# POOLS
#------------------------------------------------------------------------------
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
# Allowed SSL ciphers
# (change requires restart)
+ssl_prefer_server_ciphers = off
+ # Use server's SSL cipher preferences,
+ # rather than the client's
+ # (change requires restart)
#------------------------------------------------------------------------------
# POOLS
#------------------------------------------------------------------------------
StrNCpy(status[i].desc, "allowed SSL ciphers", POOLCONFIG_MAXDESCLEN);
i++;
+ StrNCpy(status[i].name, "ssl_prefer_server_ciphers", POOLCONFIG_MAXNAMELEN);
+ snprintf(status[i].value, POOLCONFIG_MAXVALLEN, "%d", pool_config->ssl_prefer_server_ciphers);
+ StrNCpy(status[i].desc, "Use server's SSL cipher preferences", POOLCONFIG_MAXDESCLEN);
+ i++;
+
/* POOLS */
/* - Pool size - */
SSL_RETURN_ERROR_IF((error != 1), "Setting allowed cipher list");
/* Let server choose order */
- SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (pool_config->ssl_prefer_server_ciphers)
+ SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (conntype == ssl_conn_serverclient)
{
projects / pgpool2.git / commitdiff