[PATCHES] SSL enhancement patch ver.2
This patch adds following functionality to PostgreSQL 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, both backend and libpq read site-wide OpenSSL configuration file as described in OPENSSL_config functon manual page. This allows to use hardware crypto acceleration modules (engines) and, in future version 0.9.9 would allow to use additional cryptoalgorithms (i.e. national standards) which are not included in core OpenSSL. All other configuration parameters which are supported by OpenSSL library also are taken into account. 2. New configuration option "ssl_ciphers" is added to postgresql.conf. This option allows to change list of ciphers, acceptable by backend during SSL connection. Changing list of ciphers can be desirable to tighten or relax security of particular installation, and allows quick fix on configuration file level in case if vulnerability is discovered in one of cryptoalgorithms or their OpenSSL implementation - cipher suites which use such algorithm can be easily disabled. 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine support, it is possible to store secret key of client certificate on the hardware token, supported by one of OpenSSL engines (Hardware Security Module). Name of engine which supports token and engine-specific key ID are specifyed using environment variable PGSSLKEY. This allows use of hardware tokens such as smartcards to identify clients, connecting to database. This functionality can be used in installations with high security requirements or in situations where several people can use same terminal (such as cash register in shops or malls). If PostgreSQL is compiled with version of OpenSSL which do not support engines or doesn't have OPENSSL_config function, related functionality is excluded by preprocessor conditionals, based on value of SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all versions of OpenSSL. diff -rcN ../pgsql-20060830/doc/src/sgml/config.sgml ./doc/src/sgml/config.sgml *** ../pgsql-20060830/doc/src/sgml/config.sgml 2006-08-30 16:01:12.0 +0400 --- ./doc/src/sgml/config.sgml 2006-09-01 11:13:34.0 +0400 *** *** 555,561 ! password_encryption (boolean) --- 555,575 ! !ssl_ciphers> (string) ! ! ssl_ciphers configuration parameter ! ! ! ! Specifies list of SSL ciphers, which can be used to ! establish secure connection. See manual page for ! openssl ciphers ! command to find list of allowed values and their semantics. ! ! ! ! password_encryption (boolean) diff -rcN ../pgsql-20060830/doc/src/sgml/libpq.sgml ./doc/src/sgml/libpq.sgml *** ../pgsql-20060830/doc/src/sgml/libpq.sgml 2006-08-30 16:01:12.0 +0400 --- ./doc/src/sgml/libpq.sgml 2006-09-01 12:30:33.0 +0400 *** *** 3942,3947 --- 3942,3959 + PGSSLKEY + + PGSSLKEY + specifies hardware token which store secret key of the client + certificate, instead of file. Value of this variable should consist of + colon separated engine name (engines are loadable modules of + OpenSSL) and engine-specific key identifier. + + + + + PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use when *** *** 4139,4158 for increased security. See for details about the server-side SSL functionality. ! If the server demands a client certificate, libpq will send the certificate stored in file ~/.postgresql/postgresql.crt within the user's home directory. A matching private key file ~/.postgresql/postgresql.key !must also be present, and must not be world-readable. (On Microsoft Windows these files are named %APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key.) If the file ~/.postgresql/root.crt is present in the user's home directory, libpq will use the certificate list stored --- 4151,4194 for increased security. See for details about the server-side SSL functionality. ! ! libpq reads system-wide ! OpenSSL configuration file. By default this ! file is named openssl.cnf and located in the ! directory, which is reported by command: ! ! openssl version -d ! ! This default can be overriden by setting environment variable ! OPENSSL_CONF to the name of desired configuration file. ! If the server demands a client certificate, libpq will send the certificate stored in file ~/.postgresql/postgresql.crt within the user's home directory. A matching private key file ~/.postgresql/postgresql.key !must also be present, and must not be world-readable, unless secret !key is stored on hardware
Re: [PATCHES] SSL enhancement patch ver.2
This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold --- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---(end of broadcast)--- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian [EMAIL PROTECTED] EnterpriseDBhttp://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [PATCHES] SSL enhancement patch ver.2
Your patch has been added to the PostgreSQL unapplied patches list at: http://momjian.postgresql.org/cgi-bin/pgpatches It will be applied as soon as one of the PostgreSQL committers reviews and approves it. --- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---(end of broadcast)--- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [PATCHES] SSL enhancement patch ver.2
Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control that from the site-wide OpenSSL configuration file added above? -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [PATCHES] SSL enhancement patch ver.2
Never mind, I found the answer: http://archives.postgresql.org/pgsql-hackers/2006-08/msg01931.php Working on the patch now. --- Bruce Momjian wrote: > Victor B. Wagner wrote: > > This patch adds following functionality to PostgreSQL > > > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > > both backend and libpq read site-wide OpenSSL configuration file as > > described in OPENSSL_config functon manual page. > > > > This allows to use hardware crypto acceleration modules (engines) and, > > in future version 0.9.9 would allow to use additional cryptoalgorithms > > (i.e. national standards) which are not included in core OpenSSL. > > > > All other configuration parameters which are supported by OpenSSL > > library also are taken into account. > > > > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > > This option allows to change list of ciphers, acceptable by backend > > during SSL connection. Changing list of ciphers can be desirable to > > tighten or relax security of particular installation, and allows quick > > fix on configuration file level in case if vulnerability is discovered > > in one of cryptoalgorithms or their OpenSSL implementation - cipher > > suites which use such algorithm can be easily disabled. > > Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control > that from the site-wide OpenSSL configuration file added above? > > -- > Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us > EnterpriseDB http://www.enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > ---(end of broadcast)--- > TIP 2: Don't 'kill -9' the postmaster -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org
Re: [PATCHES] SSL enhancement patch ver.2
Patch applied --- SSL improvements: o read global SSL configuration file o add GUC "ssl_ciphers" to control allowed ciphers o add libpq environment variable PGSSLKEY to control SSL hardware keys I adjusted the documentation wording and some of the single-letter variable names you used --- the applied verison is attached. Thanks. --- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---(end of broadcast)--- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/config.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v retrieving revision 1.110 diff -c -c -r1.110 config.sgml *** doc/src/sgml/config.sgml 8 Feb 2007 15:46:03 - 1.110 --- doc/src/sgml/config.sgml 16 Feb 2007 01:26:20 - *** *** 569,574 --- 569,588 + + ssl_ciphers> (string) + +ssl_ciphers configuration parameter + + + + Specifies a list of SSL ciphers which can be used to + establish secure connections. See the openssl + manual page for a list of supported ciphers. + + + + password_encryption (boolean) Index: doc/src/sgml/libpq.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.228 diff -c -c -r1.228 libpq.sgml *** doc/src/sgml/libpq.sgml 6 Feb 2007 03:03:11 - 1.228 --- doc/src/sgml/libpq.sgml 16 Feb 2007 01:26:22 - *** *** 4175,4180 --- 4175,4192 + PGSSLKEY + + PGSSLKEY + specifies the hardware token which stores the secret key for the client + certificate, instead of a file. The value of this variable should consist + of a colon-separated engine name (engines are OpenSSL + loadable modules) and an engine-specific key identifier. + + + + + PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use when *** *** 4438,4457 for increased security. See for details about the server-side SSL functionality. ! If the server demands a client certificate, libpq will send the certificate stored in file ~/.postgresql/postgresql.crt within the user's home directory. A matching private key file ~/.postgresql/postgresql.key !must also be present, and must not be world-readable. (On Microsoft Windows these files are named %APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key.)
