From c887ae42c1671c9e4260c9c9afceeadfa71c5b81 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Sat, 29 Dec 2007 04:27:02 +0000
Subject: [PATCH] Document that null ciphers are not recommended.

Mark Mielke
---
 doc/src/sgml/runtime.sgml | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 81970540ed..af7a7cf06e 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.399 2007/12/29 03:44:34 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.400 2007/12/29 04:27:02 momjian Exp $ -->
 
 <chapter Id="runtime">
  <title>Operating System Environment</title>
@@ -1604,12 +1604,20 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
    ciphers can be specified in the <productname>OpenSSL</productname>
    configuration file, you can specify ciphers specifically for use by
    the database server by modifying <xref linkend="guc-ssl-ciphers"> in
-   <filename>postgresql	.conf</>.  It is possible to have authentication
-   without the overhead of encryption by using <literal>NULL-SHA</> or
-   <literal>NULL-MD5</> ciphers.  However, a man-in-the-middle could read
-   and pass communications between client and server.
+   <filename>postgresql	.conf</>.
   </para>
 
+  <note>
+   <para>
+    It is possible to have authentication without encryption overhead by
+    using <literal>NULL-SHA</> or <literal>NULL-MD5</> ciphers.  However,
+    a man-in-the-middle could read and pass communications between client
+    and server.  Also, encryption overhead is minimal compared to the
+    overhead of authentication.  For these reasons NULL ciphers are not
+    recommended.
+   </para>
+  </note>
+
   <para>
    To start in <acronym>SSL</> mode, the files <filename>server.crt</>
    and <filename>server.key</> must exist in the server's data directory.
-- 
2.11.0