v5-0003-Support-configuring-TLSv1.3-cipher-suites.patch
application/octet-stream
Filename: v5-0003-Support-configuring-TLSv1.3-cipher-suites.patch
Type: application/octet-stream
Part: 0
Patch
Format: format-patch
Series: patch v5-0003
Subject: Support configuring TLSv1.3 cipher suites
| File | + | − |
|---|---|---|
| doc/src/sgml/config.sgml | 29 | 8 |
| src/backend/libpq/be-secure.c | 1 | 0 |
| src/backend/libpq/be-secure-openssl.c | 19 | 3 |
| src/backend/utils/misc/guc_tables.c | 13 | 2 |
| src/backend/utils/misc/postgresql.conf.sample | 2 | 1 |
| src/include/libpq/libpq.h | 1 | 0 |
| src/test/ssl/t/SSL/Server.pm | 2 | 1 |
From 65f972ba9032a260328193747aebd3975c09d3d2 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Mon, 9 Sep 2024 13:25:16 +0200
Subject: [PATCH v5 3/3] Support configuring TLSv1.3 cipher suites
The ssl_ciphers GUC can only set cipher suites for TLSv1.2, and lower,
connections. For TLSv1.3 connections a different OpenSSL must be used.
This adds a new GUC, ssl_cipher_suites, which can be used to configure
a colon separated list of cipher suites to support when performing a
TLSv1.3 handshake.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang <ericazhangy2021@qq.com>
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Andres Freund <andres@anarazel.de>
Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
---
doc/src/sgml/config.sgml | 37 +++++++++++++++----
src/backend/libpq/be-secure-openssl.c | 22 +++++++++--
src/backend/libpq/be-secure.c | 1 +
src/backend/utils/misc/guc_tables.c | 15 +++++++-
src/backend/utils/misc/postgresql.conf.sample | 3 +-
src/include/libpq/libpq.h | 1 +
src/test/ssl/t/SSL/Server.pm | 3 +-
7 files changed, 67 insertions(+), 15 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 25f60dfeef..334a8c24b9 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1340,6 +1340,29 @@ include_dir 'conf.d'
</listitem>
</varlistentry>
+ <varlistentry id="guc-ssl-cipher-suites" xreflabel="ssl_cipher_suites">
+ <term><varname>ssl_cipher_suites</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>ssl_cipher_suites</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies a list of <acronym>SSL</acronym> cipher suites that are
+ allowed by connections using TLS version 1.3. Multiple cipher suites
+ can be specified by using a colon separated list. If left blank, the
+ default set of cipher suites in <productname>OpenSSL</productname>
+ will be used.
+ </para>
+
+ <para>
+ This parameter can only be set in the
+ <filename>postgresql.conf</filename> file or on the server command
+ line.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
<term><varname>ssl_ciphers</varname> (<type>string</type>)
<indexterm>
@@ -1348,15 +1371,13 @@ include_dir 'conf.d'
</term>
<listitem>
<para>
- Specifies a list of <acronym>SSL</acronym> cipher suites that are
- allowed to be used by SSL connections. See the
- <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
+ Specifies a list of <acronym>SSL</acronym> ciphers that are allowed by
+ connections using TLS version 1.2 and lower, see
+ <xref linkend="guc-ssl-cipher-suites"/> for TLS version 1.3 connections. See
+ the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
manual page in the <productname>OpenSSL</productname> package for the
- syntax of this setting and a list of supported values. Only
- connections using TLS version 1.2 and lower are affected. There is
- currently no setting that controls the cipher choices used by TLS
- version 1.3 connections. The default value is
- <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a
+ syntax of this setting and a list of supported values. The default value
+ is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a
reasonable choice unless you have specific security requirements.
</para>
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 72da8f72dc..06fe650663 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -287,15 +287,31 @@ be_tls_init(bool isServerStart)
if (!initialize_ecdh(context, isServerStart))
goto error;
- /* set up the allowed cipher list */
- if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
+ /* set up the allowed cipher list for TLSv1.2 and below */
+ if (SSL_CTX_set_cipher_list(context, SSLCipherLists) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("could not set the cipher list (no valid ciphers available)")));
+ errmsg("could not set the TLSv1.2 cipher list (no valid ciphers available)")));
goto error;
}
+ /*
+ * Set up the allowed cipher suites for TLSv1.3. If the GUC is an empty
+ * string we leave the allowed suites to be the OpenSSL default value.
+ */
+ if (SSLCipherSuites[0])
+ {
+ /* set up the allowed cipher suites */
+ if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1)
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)")));
+ goto error;
+ }
+ }
+
/* Let server choose order */
if (SSLPreferServerCiphers)
SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index ef20ea755b..4d568983dc 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -49,6 +49,7 @@ bool ssl_loaded_verify_locations = false;
/* GUC variable controlling SSL cipher list */
char *SSLCipherSuites = NULL;
+char *SSLCipherLists = NULL;
/* GUC variable for default ECHD curve. */
char *SSLECDHCurve;
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 620e318e94..1806b87ab8 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -4641,12 +4641,23 @@ struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
- gettext_noop("Sets the list of allowed SSL ciphers."),
+ {"ssl_cipher_suites", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Sets the list of allowed TLSv1.3 cipher suites (leave blank for default)."),
NULL,
GUC_SUPERUSER_ONLY
},
&SSLCipherSuites,
+ "",
+ NULL, NULL, NULL
+ },
+
+ {
+ {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Sets the list of allowed TLSv1.2 (and lower) ciphers."),
+ NULL,
+ GUC_SUPERUSER_ONLY
+ },
+ &SSLCipherLists,
#ifdef USE_OPENSSL
"HIGH:MEDIUM:+3DES:!aNULL",
#else
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 204eab5f1a..454e05c9f5 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -110,7 +110,8 @@
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
-#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers
+#ssl_cipher_suites = '' # allowed TLSv1.3 cipher suites, blank for default
#ssl_prefer_server_ciphers = on
#ssl_groups = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 142c98462e..5e0d796972 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -118,6 +118,7 @@ extern ssize_t secure_open_gssapi(Port *port);
/* GUCs */
extern PGDLLIMPORT char *SSLCipherSuites;
+extern PGDLLIMPORT char *SSLCipherLists;
extern PGDLLIMPORT char *SSLECDHCurve;
extern PGDLLIMPORT bool SSLPreferServerCiphers;
extern PGDLLIMPORT int ssl_min_protocol_version;
diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm
index 6575f71a80..98c344f48e 100644
--- a/src/test/ssl/t/SSL/Server.pm
+++ b/src/test/ssl/t/SSL/Server.pm
@@ -300,8 +300,9 @@ sub switch_server_cert
ok(unlink($node->data_dir . '/sslconfig.conf'));
$node->append_conf('sslconfig.conf', "ssl=on");
$node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params));
- # use lists of ECDH curves for syntax testing
+ # use lists of ECDH curves and cipher suites for syntax testing
$node->append_conf('sslconfig.conf', 'ssl_ecdh_curve=prime256v1:secp521r1');
+ $node->append_conf('sslconfig.conf', 'ssl_cipher_suites=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256');
$node->append_conf('sslconfig.conf',
"ssl_passphrase_command='" . $params{passphrase_cmd} . "'")
--
2.39.3 (Apple Git-146)