On Wednesday, February 8, 2017 1:29:19 PM CET Pavel Raiskup wrote: > On Wednesday, February 8, 2017 1:05:08 AM CET Tom Lane wrote: > > Peter Eisentraut <peter.eisentr...@2ndquadrant.com> writes: > > > On 2/7/17 11:21 AM, Tom Lane wrote: > > >> A compromise that might be worth considering is to introduce > > >> #define PG_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL" > > >> into pg_config_manual.h, which would at least give you a reasonably > > >> stable target point for a long-lived patch. > > > > > You'd still need to patch postgresql.conf.sample somehow. > > > > Right. The compromise position that I had in mind was to add the > > #define in pg_config_manual.h and teach initdb to propagate it into > > the installed copy of postgresql.conf, as we've done with other GUCs > > with platform-dependent defaults, such as backend_flush_after. > > > > That still leaves the question of what to do with the SGML docs. > > We could add some weasel wording to the effect that the default might > > be platform-specific, or we could leave the docs alone and expect the > > envisioned Red Hat patch to patch config.sgml along with > > pg_config_manual.h. > > Thanks for quickt feedback. Just to not give up too early, I'm attaching > 2nd iteration. I'm fine to fallback to pg_config_manual.h solution though, > if this is considered too bad. > > I tried to fix the docs now (crucial part indeed) so we are not that > "scrict" and there's some space for per-distributor change of ssl_ciphers > default. > > From the previous mail: > > I'm not really sure that we want to carry around that much baggage for a > > single-system hack. > > Accepted, but still I'm giving a chance. OpenSSL maintainers predict this (or > something else in similar fashion) is going to be invented in OpenSSL > upstream. > So there's still some potential in ./configure option.
Argh :( ! Attaching now and sorry. Pavel > Thanks! > Pavel > > > It looks like the xxx_flush_after GUCs aren't exactly fully documented > > as to this point, so we have some work to do there too :-( > > > > > regards, tom lane > > > >
>From 41f73a910bb7afc2afa12be35a195df317f9447b Mon Sep 17 00:00:00 2001 From: Pavel Raiskup <prais...@redhat.com> Date: Wed, 18 Jan 2017 13:34:55 +0100 Subject: [PATCH] Allow setting distribution-specific cipher set Fedora OpenSSL maintainers invented a way to specify consolidated, per-system cipher set [1] and it is our packaging policy to comply (if this is a bit meaningful). So for such situations ./configure options comes in handy instead of downstream-patching, per Red Hat bug report [2]. [1] https://fedoraproject.org/wiki/Packaging:CryptoPolicies [2] https://bugzilla.redhat.com/show_bug.cgi?id=1348125 --- configure | 34 +++++++++++++++++++++++++++ configure.in | 10 ++++++++ doc/src/sgml/config.sgml | 3 ++- doc/src/sgml/installation.sgml | 15 ++++++++++++ src/backend/utils/misc/guc.c | 2 +- src/backend/utils/misc/postgresql.conf.sample | 2 +- src/bin/initdb/initdb.c | 4 ++++ src/include/pg_config.h.in | 3 +++ 8 files changed, 70 insertions(+), 3 deletions(-) diff --git a/configure b/configure new file mode 100755 index bb285e4..15fad9e *** a/configure --- b/configure *************** with_bsd_auth *** 831,836 **** --- 831,837 ---- with_ldap with_bonjour with_openssl + with_openssl_be_ciphers with_selinux with_systemd with_readline *************** Optional Packages: *** 1521,1526 **** --- 1522,1529 ---- --with-ldap build with LDAP support --with-bonjour build with Bonjour support --with-openssl build with OpenSSL support + --with-openssl-be-ciphers=STRING + Replace the default list of server-supported ciphers --with-selinux build with SELinux support --with-systemd build with systemd support --without-readline do not use GNU Readline nor BSD Libedit for editing *************** fi *** 5712,5717 **** --- 5715,5751 ---- $as_echo "$with_openssl" >&6; } + pg_be_ciphers=HIGH:MEDIUM:+3DES:!aNULL + + + + # Check whether --with-openssl-be-ciphers was given. + if test "${with_openssl_be_ciphers+set}" = set; then : + withval=$with_openssl_be_ciphers; + case $withval in + yes) + as_fn_error $? "argument required for --with-openssl-be-ciphers option" "$LINENO" 5 + ;; + no) + as_fn_error $? "argument required for --with-openssl-be-ciphers option" "$LINENO" 5 + ;; + *) + pg_be_ciphers=$withval + ;; + esac + + fi + + + + cat >>confdefs.h <<_ACEOF + #define PG_DEFAULT_SSL_CIPHERS "$pg_be_ciphers" + _ACEOF + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to replace default OpenSSL cypher set" >&5 + $as_echo_n "checking whether to replace default OpenSSL cypher set... " >&6; } + # # SELinux # diff --git a/configure.in b/configure.in new file mode 100644 index 09a887d..fc5c3a1 *** a/configure.in --- b/configure.in *************** PGAC_ARG_BOOL(with, openssl, no, [build *** 712,717 **** --- 712,727 ---- AC_MSG_RESULT([$with_openssl]) AC_SUBST(with_openssl) + pg_be_ciphers=HIGH:MEDIUM:+3DES:!aNULL + PGAC_ARG_REQ(with, openssl-be-ciphers, [STRING], + [Replace the default list of server-supported ciphers], + [pg_be_ciphers=$withval]) + AC_DEFINE_UNQUOTED([PG_DEFAULT_SSL_CIPHERS], + ["$pg_be_ciphers"], + [Define the default for server ssl_ciphers option]) + + AC_MSG_CHECKING([whether to replace default OpenSSL cypher set]) + # # SELinux # diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml new file mode 100644 index 7c56a57..83f11cf *** a/doc/src/sgml/config.sgml --- b/doc/src/sgml/config.sgml *************** include_dir 'conf.d' *** 1046,1052 **** used on secure connections. See the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page in the <application>OpenSSL</> package for the syntax of this setting ! and a list of supported values. The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable, unless you have specific security requirements. This parameter can only be set at server start. --- 1046,1053 ---- used on secure connections. See the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page in the <application>OpenSSL</> package for the syntax of this setting ! and a list of supported values. The default value is normally ! (configurable, see <xref linkend="configure-ssl-ciphers">) <literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable, unless you have specific security requirements. This parameter can only be set at server start. diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml new file mode 100644 index 25a4943..dfd8336 *** a/doc/src/sgml/installation.sgml --- b/doc/src/sgml/installation.sgml *************** su - postgres *** 1157,1162 **** --- 1157,1177 ---- </listitem> </varlistentry> + <varlistentry id="configure-ssl-ciphers" xreflabel="configure-ssl-ciphers"> + <term><option>--with-openssl-be-ciphers</option></term> + <listitem> + <para> + <indexterm> + <primary>default backend SSL ciphers</primary> + </indexterm> + Configures the default value of 'ssl_ciphers' option set by + <command>initdb</>. + <![%standalone-ignore[See <xref linkend="guc-ssl-ciphers"> + for more information.]]> + </para> + </listitem> + </varlistentry> + <varlistentry> <term><option>--enable-debug</option></term> <listitem> diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c new file mode 100644 index 4f1891f..a8a73b0 *** a/src/backend/utils/misc/guc.c --- b/src/backend/utils/misc/guc.c *************** static struct config_string ConfigureNam *** 3508,3514 **** }, &SSLCipherSuites, #ifdef USE_SSL ! "HIGH:MEDIUM:+3DES:!aNULL", #else "none", #endif --- 3508,3514 ---- }, &SSLCipherSuites, #ifdef USE_SSL ! PG_DEFAULT_SSL_CIPHERS, #else "none", #endif diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample new file mode 100644 index fa6c0ea..ff2b181 *** a/src/backend/utils/misc/postgresql.conf.sample --- b/src/backend/utils/misc/postgresql.conf.sample *************** *** 77,83 **** #authentication_timeout = 1min # 1s-600s #ssl = off # (change requires restart) ! #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers # (change requires restart) #ssl_prefer_server_ciphers = on # (change requires restart) #ssl_ecdh_curve = 'prime256v1' # (change requires restart) --- 77,83 ---- #authentication_timeout = 1min # 1s-600s #ssl = off # (change requires restart) ! #ssl_ciphers = '' # allowed SSL ciphers # (change requires restart) #ssl_prefer_server_ciphers = on # (change requires restart) #ssl_ecdh_curve = 'prime256v1' # (change requires restart) diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c new file mode 100644 index 27d134e..311c130 *** a/src/bin/initdb/initdb.c --- b/src/bin/initdb/initdb.c *************** setup_config(void) *** 1308,1313 **** --- 1308,1317 ---- repltok); #endif + snprintf(repltok, sizeof(repltok), + "#ssl_ciphers = '" PG_DEFAULT_SSL_CIPHERS "'"), + conflines = replace_token(conflines, "#ssl_ciphers = ''", repltok); + #ifndef USE_PREFETCH conflines = replace_token(conflines, "#effective_io_concurrency = 1", diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in new file mode 100644 index 7dbfa90..8190879 *** a/src/include/pg_config.h.in --- b/src/include/pg_config.h.in *************** *** 738,743 **** --- 738,746 ---- /* Define to the version of this package. */ #undef PACKAGE_VERSION + /* Define the default for server ssl_ciphers option */ + #undef PG_DEFAULT_SSL_CIPHERS + /* Define to the name of a signed 128-bit integer type. */ #undef PG_INT128_TYPE -- 2.9.3
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
