NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitef32675

committed

SSL: Add configuration option to prefer server cipher order

By default, OpenSSL (and SSL/TLS in general) lets the client cipherorder take priority. This is OK for browsers where the ciphers weretuned, but few PostgreSQL client libraries make the cipher orderconfigurable. So it makes sense to have the cipher order inpostgresql.conf take priority over client defaults.This patch adds the setting "ssl_prefer_server_ciphers" that can beturned on so that server cipher order is preferred. Per discussion,this now defaults to on.From: Marko Kreen <markokr@gmail.com>Reviewed-by: Adrian Klaver <adrian.klaver@gmail.com>

1 parent8fe3d90 commitef32675Copy full SHA for ef32675

File tree

4 files changed

+39

-0

lines changed

doc/src/sgml
- config.sgml
src/backend
- libpq
  - be-secure.c
- utils/misc
  - guc.c
  - postgresql.conf.sample

4 files changed

+39

-0

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -886,6 +886,27 @@ include 'filename'`
`886`	`886`	`</listitem>`
`887`	`887`	`</varlistentry>`
`888`	`888`
	`889`	`+ <varlistentry id="guc-ssl-prefer-server-ciphers" xreflabel="ssl_prefer_server_ciphers">`
	`890`	`+ <term><varname>ssl_prefer_server_ciphers</varname> (<type>bool</type>)</term>`
	`891`	`+ <indexterm>`
	`892`	`+ <primary><varname>ssl_prefer_server_ciphers</> configuration parameter</primary>`
	`893`	`+ </indexterm>`
	`894`	`+ <listitem>`
	`895`	`+ <para>`
	`896`	`+ Specifies whether to use the server's SSL cipher preferences, rather`
	`897`	`+ than the client's. The default is true.`
	`898`	`+ </para>`
	`899`	`+`
	`900`	`+ <para>`
	`901`	`+ Older PostgreSQL versions do not have this setting and always use the`
	`902`	`+ client's preferences. This setting is mainly for backward`
	`903`	`+ compatibility with those versions. Using the server's preferences is`
	`904`	`+ usually better because it is more likely that the server is appropriately`
	`905`	`+ configured.`
	`906`	`+ </para>`
	`907`	`+ </listitem>`
	`908`	`+ </varlistentry>`
	`909`	`+`
`889`	`910`	`<varlistentry id="guc-password-encryption" xreflabel="password_encryption">`
`890`	`911`	`<term><varname>password_encryption</varname> (<type>boolean</type>)</term>`
`891`	`912`	`<indexterm>`

`‎src/backend/libpq/be-secure.c`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,9 @@ static bool ssl_loaded_verify_locations = false;`
`112`	`112`	`/* GUC variable controlling SSL cipher list */`
`113`	`113`	`char*SSLCipherSuites=NULL;`
`114`	`114`
	`115`	`+/* GUC variable: if false, prefer client ciphers */`
	`116`	`+boolSSLPreferServerCiphers;`
	`117`	`+`
`115`	`118`	`/* ------------------------------------------------------------ */`
`116`	`119`	`/* Hardcoded values*/`
`117`	`120`	`/* ------------------------------------------------------------ */`
`@@ -854,6 +857,10 @@ initialize_SSL(void)`
`854`	`857`	`if (SSL_CTX_set_cipher_list(SSL_context,SSLCipherSuites)!=1)`
`855`	`858`	`elog(FATAL,"could not set the cipher list (no valid ciphers available)");`
`856`	`859`
	`860`	`+/* Let server choose order */`
	`861`	`+if (SSLPreferServerCiphers)`
	`862`	`+SSL_CTX_set_options(SSL_context,SSL_OP_CIPHER_SERVER_PREFERENCE);`
	`863`	`+`
`857`	`864`	`/*`
`858`	`865`	`* Load CA store, so we can verify client certificates if needed.`
`859`	`866`	`*/`

`‎src/backend/utils/misc/guc.c`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ extern char *temp_tablespaces;`
`127`	`127`	`externboolignore_checksum_failure;`
`128`	`128`	`externboolsynchronize_seqscans;`
`129`	`129`	`externchar*SSLCipherSuites;`
	`130`	`+externboolSSLPreferServerCiphers;`
`130`	`131`
`131`	`132`	`#ifdefTRACE_SORT`
`132`	`133`	`externbooltrace_sort;`
`@@ -800,6 +801,15 @@ static struct config_bool ConfigureNamesBool[] =`
`800`	`801`	`false,`
`801`	`802`	`check_ssl,NULL,NULL`
`802`	`803`	`},`
	`804`	`+{`
	`805`	`+{"ssl_prefer_server_ciphers",PGC_POSTMASTER,CONN_AUTH_SECURITY,`
	`806`	`+gettext_noop("Give priority to server ciphersuite order."),`
	`807`	`+NULL`
	`808`	`+},`
	`809`	`+&SSLPreferServerCiphers,`
	`810`	`+true,`
	`811`	`+NULL,NULL,NULL`
	`812`	`+},`
`803`	`813`	`{`
`804`	`814`	`{"fsync",PGC_SIGHUP,WAL_SETTINGS,`
`805`	`815`	`gettext_noop("Forces synchronization of updates to disk."),`

`‎src/backend/utils/misc/postgresql.conf.sample`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@`
`81`	`81`	`#ssl = off# (change requires restart)`
`82`	`82`	`#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'# allowed SSL ciphers`
`83`	`83`	`# (change requires restart)`
	`84`	`+#ssl_prefer_server_ciphers = on# (change requires restart)`
`84`	`85`	`#ssl_renegotiation_limit = 512MB# amount of data between renegotiations`
`85`	`86`	`#ssl_cert_file = 'server.crt'# (change requires restart)`
`86`	`87`	`#ssl_key_file = 'server.key'# (change requires restart)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitef32675

File tree

4 files changed

4 files changed

`‎doc/src/sgml/config.sgml`

`‎src/backend/libpq/be-secure.c`

`‎src/backend/utils/misc/guc.c`

`‎src/backend/utils/misc/postgresql.conf.sample`

0 commit comments