NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit32001ab

committed

Update and clarify ssl_ciphers default

- Write HIGH:MEDIUM instead of DEFAULT:!LOW:!EXP for clarity.- Order 3DES last to work around inappropriate OpenSSL default.- Remove !MD5 and@strength, because they are irrelevant.- Add clarifying documentation.Effectively, the new default is almost the same as the old one, but itis arguably easier to understand and modify.Author: Marko Kreen <markokr@gmail.com>

1 parent848ae33 commit32001abCopy full SHA for 32001ab

File tree

3 files changed

+64

-5

lines changed

doc/src/sgml
- config.sgml
src/backend/utils/misc
- guc.c
- postgresql.conf.sample

3 files changed

+64

-5

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 62 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -889,12 +889,71 @@ include 'filename'`
`889`	`889`	`</indexterm>`
`890`	`890`	`<listitem>`
`891`	`891`	`<para>`
`892`		`- Specifies a list of <acronym>SSL</>ciphers that are allowed to be`
	`892`	`+ Specifies a list of <acronym>SSL</>cipher suites that are allowed to be`
`893`	`893`	`used on secure connections. See`
`894`	`894`	`the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page`
`895`	`895`	`in the <application>OpenSSL</> package for the syntax of this setting`
`896`		`- and a list of supported values. The default value is usually`
`897`		`- reasonable, unless you have specific security requirements.`
	`896`	`+ and a list of supported values. The default value is`
	`897`	`+ <literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable,`
	`898`	`+ unless you have specific security requirements.`
	`899`	`+ </para>`
	`900`	`+`
	`901`	`+ <para>`
	`902`	`+ Explanation of the default value:`
	`903`	`+ <variablelist>`
	`904`	`+ <varlistentry>`
	`905`	`+ <term><literal>HIGH</literal></term>`
	`906`	`+ <listitem>`
	`907`	`+ <para>`
	`908`	`+ Cipher suites that use ciphers from <literal>HIGH</> group (e.g.,`
	`909`	`+ AES, Camellia, 3DES)`
	`910`	`+ </para>`
	`911`	`+ </listitem>`
	`912`	`+ </varlistentry>`
	`913`	`+`
	`914`	`+ <varlistentry>`
	`915`	`+ <term><literal>MEDIUM</literal></term>`
	`916`	`+ <listitem>`
	`917`	`+ <para>`
	`918`	`+ Cipher suites that use ciphers from <literal>MEDIUM</> group`
	`919`	`+ (e.g., RC4, SEED)`
	`920`	`+ </para>`
	`921`	`+ </listitem>`
	`922`	`+ </varlistentry>`
	`923`	`+`
	`924`	`+ <varlistentry>`
	`925`	`+ <term><literal>+3DES</literal></term>`
	`926`	`+ <listitem>`
	`927`	`+ <para>`
	`928`	`+ The OpenSSL default order for <literal>HIGH</> is problematic`
	`929`	`+ because it orders 3DES higher than AES128. This is wrong because`
	`930`	`+ 3DES offers less security than AES128, and it is also much`
	`931`	`+ slower. <literal>+3DES</> reorders it after all other`
	`932`	`+ <literal>HIGH</> and <literal>MEDIUM</> ciphers.`
	`933`	`+ </para>`
	`934`	`+ </listitem>`
	`935`	`+ </varlistentry>`
	`936`	`+`
	`937`	`+ <varlistentry>`
	`938`	`+ <term><literal>!aNULL</literal></term>`
	`939`	`+ <listitem>`
	`940`	`+ <para>`
	`941`	`+ Disables anonymous cipher suites that do no authentication. Such`
	`942`	`+ cipher suites are vulnerable to man-in-the-middle attacks and`
	`943`	`+ therefore should not be used.`
	`944`	`+ </para>`
	`945`	`+ </listitem>`
	`946`	`+ </varlistentry>`
	`947`	`+ </variablelist>`
	`948`	`+ </para>`
	`949`	`+`
	`950`	`+ <para>`
	`951`	`+ Available cipher suite details will vary across OpenSSL versions. Use`
	`952`	`+ the command`
	`953`	`+ <literal>openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</literal> to`
	`954`	`+ see actual details for the currently installed <application>OpenSSL</>`
	`955`	`+ version. Note that this list is filtered at run time based on the`
	`956`	`+ server key type.`
`898`	`957`	`</para>`
`899`	`958`	`</listitem>`
`900`	`959`	`</varlistentry>`

`‎src/backend/utils/misc/guc.c`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -3237,7 +3237,7 @@ static struct config_string ConfigureNamesString[] =`
`3237`	`3237`	`},`
`3238`	`3238`	`&SSLCipherSuites,`
`3239`	`3239`	`#ifdefUSE_SSL`
`3240`		`-"DEFAULT:!LOW:!EXP:!MD5:@STRENGTH",`
	`3240`	`+"HIGH:MEDIUM:+3DES:!aNULL",`
`3241`	`3241`	`#else`
`3242`	`3242`	`"none",`
`3243`	`3243`	`#endif`

`‎src/backend/utils/misc/postgresql.conf.sample`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@`
`79`	`79`
`80`	`80`	`#authentication_timeout = 1min# 1s-600s`
`81`	`81`	`#ssl = off# (change requires restart)`
`82`		`-#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'# allowed SSL ciphers`
	`82`	`+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'# allowed SSL ciphers`
`83`	`83`	`# (change requires restart)`
`84`	`84`	`#ssl_prefer_server_ciphers = on# (change requires restart)`
`85`	`85`	`#ssl_ecdh_curve = 'prime256v1'# (change requires restart)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit32001ab

File tree

3 files changed

3 files changed

`‎doc/src/sgml/config.sgml`

`‎src/backend/utils/misc/guc.c`

`‎src/backend/utils/misc/postgresql.conf.sample`

0 commit comments