NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit45188c2

committed

Support configuring TLSv1.3 cipher suites

The ssl_ciphers GUC can only set cipher suites for TLSv1.2, and lower,connections. For TLSv1.3 connections a different OpenSSL API must beused. This adds a new GUC, ssl_tls13_ciphers, which can be used toconfigure a colon separated list of cipher suites to support whenperforming a TLSv1.3 handshake.Original patch by Erica Zhang with additional hacking by me.Author: Erica Zhang <ericazhangy2021@qq.com>Author: Daniel Gustafsson <daniel@yesql.se>Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>Reviewed-by: Andres Freund <andres@anarazel.de>Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>Discussion:https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com

1 parent3d1ef3a commit45188c2Copy full SHA for 45188c2

File tree

7 files changed

+66

-15

lines changed

doc/src/sgml
- config.sgml
src
- backend
  - libpq
    - be-secure-openssl.c
    - be-secure.c
  - utils/misc
    - guc_tables.c
    - postgresql.conf.sample
- include/libpq
  - libpq.h
- test/ssl/t/SSL
  - Server.pm

7 files changed

+66

-15

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 28 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1340,6 +1340,28 @@ include_dir 'conf.d'`
`1340`	`1340`	`</listitem>`
`1341`	`1341`	`</varlistentry>`
`1342`	`1342`
	`1343`	`+ <varlistentry id="guc-ssl-tls13-ciphers" xreflabel="ssl_tls13_ciphers">`
	`1344`	`+ <term><varname>ssl_tls13_ciphers</varname> (<type>string</type>)`
	`1345`	`+ <indexterm>`
	`1346`	`+ <primary><varname>ssl_tls13_ciphers</varname> configuration parameter</primary>`
	`1347`	`+ </indexterm>`
	`1348`	`+ </term>`
	`1349`	`+ <listitem>`
	`1350`	`+ <para>`
	`1351`	`+ Specifies a list of cipher suites that are allowed by connections using`
	`1352`	`+ <acronym>TLS</acronym> version 1.3. Multiple cipher suites can be`
	`1353`	`+ specified by using a colon separated list. If left blank, the default`
	`1354`	`+ set of cipher suites in <productname>OpenSSL</productname> will be used.`
	`1355`	`+ </para>`
	`1356`	`+`
	`1357`	`+ <para>`
	`1358`	`+ This parameter can only be set in the`
	`1359`	`+ <filename>postgresql.conf</filename> file or on the server command`
	`1360`	`+ line.`
	`1361`	`+ </para>`
	`1362`	`+ </listitem>`
	`1363`	`+ </varlistentry>`
	`1364`	`+`
`1343`	`1365`	`<varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">`
`1344`	`1366`	`<term><varname>ssl_ciphers</varname> (<type>string</type>)`
`1345`	`1367`	`<indexterm>`
`@@ -1348,15 +1370,13 @@ include_dir 'conf.d'`
`1348`	`1370`	`</term>`
`1349`	`1371`	`<listitem>`
`1350`	`1372`	`<para>`
`1351`		`- Specifies a list of <acronym>SSL</acronym> cipher suites that are`
`1352`		`- allowed to be used by SSL connections. See the`
`1353`		`- <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>`
	`1373`	`+ Specifies a list of <acronym>SSL</acronym> ciphers that are allowed by`
	`1374`	`+ connections using TLS version 1.2 and lower, see`
	`1375`	`+ <xref linkend="guc-ssl-tls13-ciphers"/> for TLS version 1.3 connections. See`
	`1376`	`+ the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>`
`1354`	`1377`	`manual page in the <productname>OpenSSL</productname> package for the`
`1355`		`- syntax of this setting and a list of supported values. Only`
`1356`		`- connections using TLS version 1.2 and lower are affected. There is`
`1357`		`- currently no setting that controls the cipher choices used by TLS`
`1358`		`- version 1.3 connections. The default value is`
`1359`		`- <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a`
	`1378`	`+ syntax of this setting and a list of supported values. The default value`
	`1379`	`+ is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a`
`1360`	`1380`	`reasonable choice unless you have specific security requirements.`
`1361`	`1381`	`</para>`
`1362`	`1382`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 19 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -288,15 +288,31 @@ be_tls_init(bool isServerStart)`
`288`	`288`	`if (!initialize_ecdh(context,isServerStart))`
`289`	`289`	`gotoerror;`
`290`	`290`
`291`		`-/* set up the allowed cipher list */`
`292`		`-if (SSL_CTX_set_cipher_list(context,SSLCipherSuites)!=1)`
	`291`	`+/* set up the allowed cipher listfor TLSv1.2 and below*/`
	`292`	`+if (SSL_CTX_set_cipher_list(context,SSLCipherList)!=1)`
`293`	`293`	`{`
`294`	`294`	`ereport(isServerStart ?FATAL :LOG,`
`295`	`295`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`296`		`-errmsg("could not set the cipher list (no valid ciphers available)")));`
	`296`	`+errmsg("could not set theTLSv1.2cipher list (no valid ciphers available)")));`
`297`	`297`	`gotoerror;`
`298`	`298`	`}`
`299`	`299`
	`300`	`+/*`
	`301`	`+ * Set up the allowed cipher suites for TLSv1.3. If the GUC is an empty`
	`302`	`+ * string we leave the allowed suites to be the OpenSSL default value.`
	`303`	`+ */`
	`304`	`+if (SSLCipherSuites[0])`
	`305`	`+{`
	`306`	`+/* set up the allowed cipher suites */`
	`307`	`+if (SSL_CTX_set_ciphersuites(context,SSLCipherSuites)!=1)`
	`308`	`+{`
	`309`	`+ereport(isServerStart ?FATAL :LOG,`
	`310`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`311`	`+errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)")));`
	`312`	`+gotoerror;`
	`313`	`+}`
	`314`	`+}`
	`315`	`+`
`300`	`316`	`/* Let server choose order */`
`301`	`317`	`if (SSLPreferServerCiphers)`
`302`	`318`	`SSL_CTX_set_options(context,SSL_OP_CIPHER_SERVER_PREFERENCE);`

`‎src/backend/libpq/be-secure.c`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ boolssl_loaded_verify_locations = false;`
`49`	`49`
`50`	`50`	`/* GUC variable controlling SSL cipher list */`
`51`	`51`	`char*SSLCipherSuites=NULL;`
	`52`	`+char*SSLCipherList=NULL;`
`52`	`53`
`53`	`54`	`/* GUC variable for default ECHD curve. */`
`54`	`55`	`char*SSLECDHCurve;`

`‎src/backend/utils/misc/guc_tables.c`

Lines changed: 13 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -4641,12 +4641,23 @@ struct config_string ConfigureNamesString[] =`
`4641`	`4641`	`},`
`4642`	`4642`
`4643`	`4643`	`{`
`4644`		`-{"ssl_ciphers",PGC_SIGHUP,CONN_AUTH_SSL,`
`4645`		`-gettext_noop("Sets the list of allowedSSL ciphers."),`
	`4644`	`+{"ssl_tls13_ciphers",PGC_SIGHUP,CONN_AUTH_SSL,`
	`4645`	`+gettext_noop("Sets the list of allowedTLSv1.3 cipher suites (leave blank for default)."),`
`4646`	`4646`	`NULL,`
`4647`	`4647`	`GUC_SUPERUSER_ONLY`
`4648`	`4648`	`},`
`4649`	`4649`	`&SSLCipherSuites,`
	`4650`	`+"",`
	`4651`	`+NULL,NULL,NULL`
	`4652`	`+},`
	`4653`	`+`
	`4654`	`+{`
	`4655`	`+{"ssl_ciphers",PGC_SIGHUP,CONN_AUTH_SSL,`
	`4656`	`+gettext_noop("Sets the list of allowed TLSv1.2 (and lower) ciphers."),`
	`4657`	`+NULL,`
	`4658`	`+GUC_SUPERUSER_ONLY`
	`4659`	`+},`
	`4660`	`+&SSLCipherList,`
`4650`	`4661`	`#ifdefUSE_OPENSSL`
`4651`	`4662`	`"HIGH:MEDIUM:+3DES:!aNULL",`
`4652`	`4663`	`#else`

`‎src/backend/utils/misc/postgresql.conf.sample`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,8 @@`
`110`	`110`	`#ssl_crl_file = ''`
`111`	`111`	`#ssl_crl_dir = ''`
`112`	`112`	`#ssl_key_file = 'server.key'`
`113`		`-#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'# allowed SSL ciphers`
	`113`	`+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'# allowed TLSv1.2 ciphers`
	`114`	`+#ssl_tls13_ciphers = ''# allowed TLSv1.3 cipher suites, blank for default`
`114`	`115`	`#ssl_prefer_server_ciphers = on`
`115`	`116`	`#ssl_groups = 'prime256v1'`
`116`	`117`	`#ssl_min_protocol_version = 'TLSv1.2'`

`‎src/include/libpq/libpq.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ extern ssize_t secure_open_gssapi(Port *port);`
`118`	`118`
`119`	`119`	`/* GUCs */`
`120`	`120`	`externPGDLLIMPORTchar*SSLCipherSuites;`
	`121`	`+externPGDLLIMPORTchar*SSLCipherList;`
`121`	`122`	`externPGDLLIMPORTchar*SSLECDHCurve;`
`122`	`123`	`externPGDLLIMPORTboolSSLPreferServerCiphers;`
`123`	`124`	`externPGDLLIMPORTintssl_min_protocol_version;`

`‎src/test/ssl/t/SSL/Server.pm`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -300,8 +300,9 @@ sub switch_server_cert`
`300`	`300`	`ok(unlink($node->data_dir .'/sslconfig.conf'));`
`301`	`301`	`$node->append_conf('sslconfig.conf',"ssl=on");`
`302`	`302`	`$node->append_conf('sslconfig.conf',$backend->set_server_cert(\%params));`
`303`		`-# use lists of ECDH curves for syntax testing`
	`303`	`+# use lists of ECDH curvesand cipher suitesfor syntax testing`
`304`	`304`	`$node->append_conf('sslconfig.conf','ssl_groups=prime256v1:secp521r1');`
	`305`	`+$node->append_conf('sslconfig.conf','ssl_tls13_ciphers=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256');`
`305`	`306`
`306`	`307`	`$node->append_conf('sslconfig.conf',`
`307`	`308`	`"ssl_passphrase_command='" .$params{passphrase_cmd} ."'")`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit45188c2

File tree

7 files changed

7 files changed

`‎doc/src/sgml/config.sgml`

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/backend/libpq/be-secure.c`

`‎src/backend/utils/misc/guc_tables.c`

`‎src/backend/utils/misc/postgresql.conf.sample`

`‎src/include/libpq/libpq.h`

`‎src/test/ssl/t/SSL/Server.pm`

0 commit comments