[pgpool-hackers: 3272] ssl_ciphers
Tatsuo Ishii
ishii at sraoss.co.jp
Tue Mar 26 13:50:01 JST 2019
Hi Pgpool Developers,
Recently I got a request from a customer to add ssl_ciphers
functionality of PostgreSQL. This allows to limit accepting SSL
ciphers. The main motivation of this is to defend Pgpool-II from weak
ciphers attack (known as Sweet32).
https://access.redhat.com/security/cve/cve-2016-2183
I don't think this is a vulnerability of Pgpool-II itself. In fact
other OSS projects except OpenSSL have not assigned CVE because of
this.
However, I think implementing ssl_ciphers is a good thing for
Pgpool-II because we could say "we are safer than before." Also some
of other OSS projects have done something for this.
So I decided to implement ssl_ciphers and back patch to all supported
branches. Usually we do not add new configuration parameters to minor
releases but this time there's no other way to implement the feature,
so I have to add a new parameter ssl_ciphers.
The main changes to the code are fairly small (in src/utils/pool_ssl.c):
+ /* set up the allowed cipher list */
+ error = SSL_CTX_set_cipher_list(cp->ssl_ctx, pool_config->ssl_ciphers);
SSL_RETURN_ERROR_IF((error != 1), "Setting allowed cipher list");
+
+ /* Let server choose order */
+ SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
SSL_CTX_set_cipher_list() limits the cipher
list. SSL_CTX_set_options() is needed to reject client's request for
ciphers not in the cipher list.
Attached is the patch for master branch.
We schedule to release minor releases on Friday, March 29th.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl.diff
Type: application/octet-stream
Size: 9674 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20190326/0375787c/attachment.obj>
More information about the pgpool-hackers
mailing list