Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc7b0805

Browse files
committed
SSL improvements:
o read global SSL configuration fileo add GUC "ssl_ciphers" to control allowed cipherso add libpq environment variable PGSSLKEY to control SSL hardware keysVictor B. Wagner
1 parent68046a2 commitc7b0805

File tree

9 files changed

+202
-54
lines changed

9 files changed

+202
-54
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.110 2007/02/08 15:46:03 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.111 2007/02/16 02:59:40 momjian Exp $ -->
22

33
<chapter Id="runtime-config">
44
<title>Server Configuration</title>
@@ -569,6 +569,20 @@ SET ENABLE_SEQSCAN TO OFF;
569569
</listitem>
570570
</varlistentry>
571571

572+
<varlistentry id="guc-ssl-ciphers" xreflabel="ssl-ciphers">
573+
<term><varname>ssl_ciphers> (<type>string</type>)</term>
574+
<indexterm>
575+
<primary><varname>ssl_ciphers</> configuration parameter</primary>
576+
</indexterm>
577+
<listitem>
578+
<para>
579+
Specifies a list of <acronym>SSL</> ciphers which can be used to
580+
establish secure connections. See the <application>openssl</>
581+
manual page for a list of supported ciphers.
582+
</para>
583+
</listitem>
584+
</varlistentry>
585+
572586
<varlistentry id="guc-password-encryption" xreflabel="password_encryption">
573587
<term><varname>password_encryption</varname> (<type>boolean</type>)</term>
574588
<indexterm>

‎doc/src/sgml/libpq.sgml

Lines changed: 40 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.228 2007/02/06 03:03:11 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.229 2007/02/16 02:59:40 momjian Exp $ -->
22

33
<chapter id="libpq">
44
<title><application>libpq</application> - C Library</title>
@@ -4174,6 +4174,18 @@ setting, and is only available if
41744174
</listitem>
41754175
<listitem>
41764176
<para>
4177+
<indexterm>
4178+
<primary><envar>PGSSLKEY</envar></primary>
4179+
</indexterm>
4180+
<envar>PGSSLKEY</envar>
4181+
specifies the hardware token which stores the secret key for the client
4182+
certificate, instead of a file. The value of this variable should consist
4183+
of a colon-separated engine name (engines are <productname>OpenSSL</>
4184+
loadable modules) and an engine-specific key identifier.
4185+
</para>
4186+
</listitem>
4187+
<listitem>
4188+
<para>
41774189
<indexterm>
41784190
<primary><envar>PGKRBSRVNAME</envar></primary>
41794191
</indexterm>
@@ -4438,19 +4450,44 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase)
44384450
for increased security. See <xref linkend="ssl-tcp"> for details
44394451
about the server-side <acronym>SSL</> functionality.
44404452
</para>
4441-
4453+
<para>
4454+
<application>libpq</application> reads the system-wide
4455+
<productname>OpenSSL</productname> configuration file. By default, this
4456+
file is named <filename>openssl.cnf</filename> and is located in the
4457+
directory reported by <application>openssl</>:
4458+
<programlisting>
4459+
openssl version -d
4460+
</programlisting>
4461+
The default can be overriden by setting environment variable
4462+
<envar>OPENSSL_CONF</envar> to the name of the desired configuration
4463+
file.
4464+
</para>
44424465
<para>
44434466
If the server demands a client certificate,
44444467
<application>libpq</application>
44454468
will send the certificate stored in file
44464469
<filename>~/.postgresql/postgresql.crt</> within the user's home directory.
44474470
A matching private key file <filename>~/.postgresql/postgresql.key</>
4448-
must also be present, and must not be world-readable.
4471+
must also be present, and must not be world-readable, unless the secret
4472+
key is stored in a hardware token, as specified by
4473+
<envar>PGSSLKEY</envar>.
44494474
(On Microsoft Windows these files are named
44504475
<filename>%APPDATA%\postgresql\postgresql.crt</filename> and
44514476
<filename>%APPDATA%\postgresql\postgresql.key</filename>.)
44524477
</para>
44534478

4479+
<para>
4480+
If the environment variable <envar>PGSSLKEY</envar> is set, its value
4481+
should consist of a colon-separated engine name and key identifier. In
4482+
this case, <application>libpq</application> will load the specified
4483+
engine, i.e. the <productname>OpenSSL</> module which supports special
4484+
hardware and reference the key with the specified identifier.
4485+
Identifiers are engine-specific. Typically, cryptography hardware tokens
4486+
do not reveal secret keys to the application. Instead, applications
4487+
delegate all cryptography operations which require the secret key to
4488+
the hardware token.
4489+
</para>
4490+
44544491
<para>
44554492
If the file <filename>~/.postgresql/root.crt</> is present in the user's
44564493
home directory,

‎doc/src/sgml/runtime.sgml

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.376 2007/02/01 00:28:18 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.377 2007/02/16 02:59:40 momjian Exp $ -->
22

33
<chapter Id="runtime">
44
<title>Operating System Environment</title>
@@ -1515,6 +1515,25 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
15151515
require use of <acronym>SSL</> for some or all connections.
15161516
</para>
15171517

1518+
<para>
1519+
<productname>OpenSSL</productname> supports a wide range of ciphers
1520+
and authentication algorithms, whose strength varies significantly.
1521+
You can restrict the list of ciphers which can be used to connect to
1522+
your server using the <xref linkend="guc-ssl-ciphers"> parameter.
1523+
</para>
1524+
1525+
<para>
1526+
<productname>PostgreSQL</productname> reads a system-wide
1527+
<productname>OpenSSL</productname> configuration file. By default this
1528+
file is named <filename>openssl.cnf</filename> and is located in the
1529+
directory reported by <application>openssl</>:
1530+
<programlisting>
1531+
openssl version -d
1532+
</programlisting>
1533+
This default can be overriden by setting environment variable
1534+
<envar>OPENSSL_CONF</envar> to the name of desired configuration file.
1535+
</para>
1536+
15181537
<para>
15191538
For details on how to create your server private key and certificate,
15201539
refer to the <productname>OpenSSL</> documentation. A
@@ -1528,8 +1547,8 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
15281547
<programlisting>
15291548
openssl req -new -text -out server.req
15301549
</programlisting>
1531-
Fill out the information that <command>openssl</> asks for. Make sure
1532-
thatyou enter the local host name as <quote>Common Name</>; the challenge
1550+
Fill out the information that <application>openssl</> asks for. Make sure
1551+
you enter the local host name as <quote>Common Name</>; the challenge
15331552
password can be left blank. The program will generate a key that is
15341553
passphrase protected; it will not accept a passphrase that is less
15351554
than four characters long. To remove the passphrase (as you must if

‎src/backend/libpq/be-secure.c

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.77 2007/02/07 00:52:35 petere Exp $
14+
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.78 2007/02/16 02:59:40 momjian Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -92,6 +92,10 @@
9292
#ifdefUSE_SSL
9393
#include<openssl/ssl.h>
9494
#include<openssl/dh.h>
95+
#ifSSLEAY_VERSION_NUMBER >=0x0907000L
96+
#include<openssl/conf.h>
97+
#endif
98+
9599
#endif
96100

97101
#include"libpq/libpq.h"
@@ -125,6 +129,10 @@ static const char *SSLerrmessage(void);
125129
#defineRENEGOTIATION_LIMIT (512 * 1024 * 1024)
126130

127131
staticSSL_CTX*SSL_context=NULL;
132+
133+
/* GUC variable controlling SSL cipher list*/
134+
externchar*SSLCipherSuites;
135+
128136
#endif
129137

130138
/* ------------------------------------------------------------ */
@@ -719,6 +727,9 @@ initialize_SSL(void)
719727

720728
if (!SSL_context)
721729
{
730+
#ifSSLEAY_VERSION_NUMBER >=0x0907000L
731+
OPENSSL_config(NULL);
732+
#endif
722733
SSL_library_init();
723734
SSL_load_error_strings();
724735
SSL_context=SSL_CTX_new(SSLv23_method());
@@ -780,7 +791,7 @@ initialize_SSL(void)
780791
SSL_CTX_set_options(SSL_context,SSL_OP_SINGLE_DH_USE |SSL_OP_NO_SSLv2);
781792

782793
/* setup the allowed cipher list */
783-
if (SSL_CTX_set_cipher_list(SSL_context,"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")!=1)
794+
if (SSL_CTX_set_cipher_list(SSL_context,SSLCipherSuites)!=1)
784795
elog(FATAL,"could not set the cipher list (no valid ciphers available)");
785796

786797
/*

‎src/backend/postmaster/postmaster.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
*
3838
*
3939
* IDENTIFICATION
40-
* $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.523 2007/02/16 02:10:07 alvherre Exp $
40+
* $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.524 2007/02/16 02:59:41 momjian Exp $
4141
*
4242
* NOTES
4343
*
@@ -187,6 +187,7 @@ static intSendStop = false;
187187

188188
/* still more option variables */
189189
boolEnableSSL= false;
190+
char*SSLCipherSuites;
190191
boolSilentMode= false;/* silent mode (-S) */
191192

192193
intPreAuthDelay=0;

‎src/backend/utils/misc/guc.c

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
* Written by Peter Eisentraut <peter_e@gmx.net>.
1111
*
1212
* IDENTIFICATION
13-
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.374 2007/02/14 03:08:44 neilc Exp $
13+
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.375 2007/02/16 02:59:41 momjian Exp $
1414
*
1515
*--------------------------------------------------------------------
1616
*/
@@ -2314,6 +2314,16 @@ static struct config_string ConfigureNamesString[] =
23142314
NULL,assign_temp_tablespaces,NULL
23152315
},
23162316

2317+
{
2318+
{"ssl_ciphers",PGC_POSTMASTER,CONN_AUTH_SECURITY,
2319+
gettext_noop("Sets the list of allowed SSL ciphers."),
2320+
NULL,
2321+
GUC_SUPERUSER_ONLY
2322+
},
2323+
&SSLCipherSuites,
2324+
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",NULL,NULL
2325+
},
2326+
23172327
/* End-of-list marker */
23182328
{
23192329
{NULL,0,0,NULL,NULL},NULL,NULL,NULL,NULL

‎src/backend/utils/misc/postgresql.conf.sample

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@
7474

7575
#authentication_timeout = 1min# 1s-600s
7676
#ssl = off# (change requires restart)
77+
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # List of ciphers to use
7778
#password_encryption = on
7879
#db_user_namespace = off
7980

‎src/include/postmaster/postmaster.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group
77
* Portions Copyright (c) 1994, Regents of the University of California
88
*
9-
* $PostgreSQL: pgsql/src/include/postmaster/postmaster.h,v 1.15 2007/01/05 22:19:57 momjian Exp $
9+
* $PostgreSQL: pgsql/src/include/postmaster/postmaster.h,v 1.16 2007/02/16 02:59:41 momjian Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -15,6 +15,7 @@
1515

1616
/* GUC options */
1717
externboolEnableSSL;
18+
externchar*SSLCipherSuites;
1819
externboolSilentMode;
1920
externintReservedBackends;
2021
externintPostPortNumber;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp