From 65f972ba9032a260328193747aebd3975c09d3d2 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 9 Sep 2024 13:25:16 +0200 Subject: [PATCH v5 3/3] Support configuring TLSv1.3 cipher suites The ssl_ciphers GUC can only set cipher suites for TLSv1.2, and lower, connections. For TLSv1.3 connections a different OpenSSL must be used. This adds a new GUC, ssl_cipher_suites, which can be used to configure a colon separated list of cipher suites to support when performing a TLSv1.3 handshake. Original patch by Erica Zhang with additional hacking by me. Author: Erica Zhang Author: Daniel Gustafsson Reviewed-by: Jacob Champion Reviewed-by: Andres Freund Reviewed-by: Peter Eisentraut Reviewed-by: Jelte Fennema-Nio Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com --- doc/src/sgml/config.sgml | 37 +++++++++++++++---- src/backend/libpq/be-secure-openssl.c | 22 +++++++++-- src/backend/libpq/be-secure.c | 1 + src/backend/utils/misc/guc_tables.c | 15 +++++++- src/backend/utils/misc/postgresql.conf.sample | 3 +- src/include/libpq/libpq.h | 1 + src/test/ssl/t/SSL/Server.pm | 3 +- 7 files changed, 67 insertions(+), 15 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 25f60dfeef..334a8c24b9 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1340,6 +1340,29 @@ include_dir 'conf.d' + + ssl_cipher_suites (string) + + ssl_cipher_suites configuration parameter + + + + + Specifies a list of SSL cipher suites that are + allowed by connections using TLS version 1.3. Multiple cipher suites + can be specified by using a colon separated list. If left blank, the + default set of cipher suites in OpenSSL + will be used. + + + + This parameter can only be set in the + postgresql.conf file or on the server command + line. + + + + ssl_ciphers (string) @@ -1348,15 +1371,13 @@ include_dir 'conf.d' - Specifies a list of SSL cipher suites that are - allowed to be used by SSL connections. See the - ciphers + Specifies a list of SSL ciphers that are allowed by + connections using TLS version 1.2 and lower, see + for TLS version 1.3 connections. See + the ciphers manual page in the OpenSSL package for the - syntax of this setting and a list of supported values. Only - connections using TLS version 1.2 and lower are affected. There is - currently no setting that controls the cipher choices used by TLS - version 1.3 connections. The default value is - HIGH:MEDIUM:+3DES:!aNULL. The default is usually a + syntax of this setting and a list of supported values. The default value + is HIGH:MEDIUM:+3DES:!aNULL. The default is usually a reasonable choice unless you have specific security requirements. diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 72da8f72dc..06fe650663 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -287,15 +287,31 @@ be_tls_init(bool isServerStart) if (!initialize_ecdh(context, isServerStart)) goto error; - /* set up the allowed cipher list */ - if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1) + /* set up the allowed cipher list for TLSv1.2 and below */ + if (SSL_CTX_set_cipher_list(context, SSLCipherLists) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("could not set the cipher list (no valid ciphers available)"))); + errmsg("could not set the TLSv1.2 cipher list (no valid ciphers available)"))); goto error; } + /* + * Set up the allowed cipher suites for TLSv1.3. If the GUC is an empty + * string we leave the allowed suites to be the OpenSSL default value. + */ + if (SSLCipherSuites[0]) + { + /* set up the allowed cipher suites */ + if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1) + { + ereport(isServerStart ? FATAL : LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)"))); + goto error; + } + } + /* Let server choose order */ if (SSLPreferServerCiphers) SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index ef20ea755b..4d568983dc 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -49,6 +49,7 @@ bool ssl_loaded_verify_locations = false; /* GUC variable controlling SSL cipher list */ char *SSLCipherSuites = NULL; +char *SSLCipherLists = NULL; /* GUC variable for default ECHD curve. */ char *SSLECDHCurve; diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index 620e318e94..1806b87ab8 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -4641,12 +4641,23 @@ struct config_string ConfigureNamesString[] = }, { - {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL, - gettext_noop("Sets the list of allowed SSL ciphers."), + {"ssl_cipher_suites", PGC_SIGHUP, CONN_AUTH_SSL, + gettext_noop("Sets the list of allowed TLSv1.3 cipher suites (leave blank for default)."), NULL, GUC_SUPERUSER_ONLY }, &SSLCipherSuites, + "", + NULL, NULL, NULL + }, + + { + {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL, + gettext_noop("Sets the list of allowed TLSv1.2 (and lower) ciphers."), + NULL, + GUC_SUPERUSER_ONLY + }, + &SSLCipherLists, #ifdef USE_OPENSSL "HIGH:MEDIUM:+3DES:!aNULL", #else diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 204eab5f1a..454e05c9f5 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -110,7 +110,8 @@ #ssl_crl_file = '' #ssl_crl_dir = '' #ssl_key_file = 'server.key' -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers +#ssl_cipher_suites = '' # allowed TLSv1.3 cipher suites, blank for default #ssl_prefer_server_ciphers = on #ssl_groups = 'prime256v1' #ssl_min_protocol_version = 'TLSv1.2' diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h index 142c98462e..5e0d796972 100644 --- a/src/include/libpq/libpq.h +++ b/src/include/libpq/libpq.h @@ -118,6 +118,7 @@ extern ssize_t secure_open_gssapi(Port *port); /* GUCs */ extern PGDLLIMPORT char *SSLCipherSuites; +extern PGDLLIMPORT char *SSLCipherLists; extern PGDLLIMPORT char *SSLECDHCurve; extern PGDLLIMPORT bool SSLPreferServerCiphers; extern PGDLLIMPORT int ssl_min_protocol_version; diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index 6575f71a80..98c344f48e 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -300,8 +300,9 @@ sub switch_server_cert ok(unlink($node->data_dir . '/sslconfig.conf')); $node->append_conf('sslconfig.conf', "ssl=on"); $node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params)); - # use lists of ECDH curves for syntax testing + # use lists of ECDH curves and cipher suites for syntax testing $node->append_conf('sslconfig.conf', 'ssl_ecdh_curve=prime256v1:secp521r1'); + $node->append_conf('sslconfig.conf', 'ssl_cipher_suites=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'); $node->append_conf('sslconfig.conf', "ssl_passphrase_command='" . $params{passphrase_cmd} . "'") -- 2.39.3 (Apple Git-146)