Hi hackers, in Fedora, there's crypto initiative where people try to consolidate ssl cipher settings for (majority of) Fedora services (PostgreSQL is included).
PostgreSQL server uses 'HIGH:MEDIUM:+3DES:!aNULL' cipher set by default, but what Fedora would like to have is 'PROFILE=SYSTEM' (works with Fedora-patched OpenSSL, so please don't waste your time with checking this elsewhere). What that really does is: kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!EXP:!DES:!RC4:!RC2:!IDEA\ :!SEED:!eNULL:!aNULL:!MD5:!SSLv2 .. but that's just for the record (should be subset of upstream default); more info in RH bug [1]. I'd like to propose the attached patch, so we could (without downstream patching) do $ ./configure ... --with-openssl-be-ciphers=PROFILE=SYSTEM [1] https://bugzilla.redhat.com/show_bug.cgi?id=1348125 Thanks for considering! Pavel
>From dae9b8c0345b65882c221a4062f435cf657fe55a Mon Sep 17 00:00:00 2001 From: Pavel Raiskup <prais...@redhat.com> Date: Wed, 18 Jan 2017 13:34:55 +0100 Subject: [PATCH] Allow setting distribution-specific cipher set Fedora OpenSSL maintainers invented a way to specify consolidated, per-system cipher set [1] and it is our packaging policy to comply (if this is a bit meaningful). So for such situations ./configure options comes in handy instead of downstream-patching, per Red Hat bug report [2]. [1] https://fedoraproject.org/wiki/Packaging:CryptoPolicies [2] https://bugzilla.redhat.com/show_bug.cgi?id=1348125 --- configure | 32 ++++++++++++++++++++++++++++++++ configure.in | 8 ++++++++ src/backend/utils/misc/guc.c | 4 ++++ src/include/pg_config.h.in | 3 +++ 4 files changed, 47 insertions(+) diff --git a/configure b/configure new file mode 100755 index bb285e4..9e7fa82 *** a/configure --- b/configure *************** with_bsd_auth *** 831,836 **** --- 831,837 ---- with_ldap with_bonjour with_openssl + with_openssl_be_ciphers with_selinux with_systemd with_readline *************** Optional Packages: *** 1521,1526 **** --- 1522,1529 ---- --with-ldap build with LDAP support --with-bonjour build with Bonjour support --with-openssl build with OpenSSL support + --with-openssl-be-ciphers=STRING + Replace the default list of server-supported ciphers --with-selinux build with SELinux support --with-systemd build with systemd support --without-readline do not use GNU Readline nor BSD Libedit for editing *************** fi *** 5712,5717 **** --- 5715,5749 ---- $as_echo "$with_openssl" >&6; } + + + + # Check whether --with-openssl-be-ciphers was given. + if test "${with_openssl_be_ciphers+set}" = set; then : + withval=$with_openssl_be_ciphers; + case $withval in + yes) + as_fn_error $? "argument required for --with-openssl-be-ciphers option" "$LINENO" 5 + ;; + no) + as_fn_error $? "argument required for --with-openssl-be-ciphers option" "$LINENO" 5 + ;; + *) + + cat >>confdefs.h <<_ACEOF + #define PG_DEFAULT_SSL_CIPHERS "$with_openssl_be_ciphers" + _ACEOF + + ;; + esac + + fi + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to replace default OpenSSL cypher set" >&5 + $as_echo_n "checking whether to replace default OpenSSL cypher set... " >&6; } + # # SELinux # diff --git a/configure.in b/configure.in new file mode 100644 index 09a887d..f26f1fa *** a/configure.in --- b/configure.in *************** PGAC_ARG_BOOL(with, openssl, no, [build *** 712,717 **** --- 712,725 ---- AC_MSG_RESULT([$with_openssl]) AC_SUBST(with_openssl) + PGAC_ARG_REQ(with, openssl-be-ciphers, [STRING], + [Replace the default list of server-supported ciphers], + [AC_DEFINE_UNQUOTED([PG_DEFAULT_SSL_CIPHERS], + ["$with_openssl_be_ciphers"], + [Re-define the default for server ssl_ciphers option])]) + + AC_MSG_CHECKING([whether to replace default OpenSSL cypher set]) + # # SELinux # diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c new file mode 100644 index 4f1891f..8b4e576 *** a/src/backend/utils/misc/guc.c --- b/src/backend/utils/misc/guc.c *************** static struct config_string ConfigureNam *** 3508,3514 **** --- 3508,3518 ---- }, &SSLCipherSuites, #ifdef USE_SSL + #ifdef PG_DEFAULT_SSL_CIPHERS + PG_DEFAULT_SSL_CIPHERS, + #else "HIGH:MEDIUM:+3DES:!aNULL", + #endif #else "none", #endif diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in new file mode 100644 index 7dbfa90..8367744 *** a/src/include/pg_config.h.in --- b/src/include/pg_config.h.in *************** *** 738,743 **** --- 738,746 ---- /* Define to the version of this package. */ #undef PACKAGE_VERSION + /* Re-define the default for server ssl_ciphers option */ + #undef PG_DEFAULT_SSL_CIPHERS + /* Define to the name of a signed 128-bit integer type. */ #undef PG_INT128_TYPE -- 2.9.3
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
