<div dir="ltr"><div>Hi Ishii-San</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 26, 2019 at 9:50 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Pgpool Developers,<br>
<br>
Recently I got a request from a customer to add ssl_ciphers<br>
functionality of PostgreSQL. This allows to limit accepting SSL<br>
ciphers. The main motivation of this is to defend Pgpool-II from weak<br>
ciphers attack (known as Sweet32).<br>
<a href="https://access.redhat.com/security/cve/cve-2016-2183" rel="noreferrer" target="_blank">https://access.redhat.com/security/cve/cve-2016-2183</a><br>
<br>
I don't think this is a vulnerability of Pgpool-II itself. In fact<br>
other OSS projects except OpenSSL have not assigned CVE because of<br>
this.<br>
<br>
However, I think implementing ssl_ciphers is a good thing for<br>
Pgpool-II because we could say "we are safer than before." Also some<br>
of other OSS projects have done something for this.<br>
<br>
So I decided to implement ssl_ciphers and back patch to all supported<br>
branches. Usually we do not add new configuration parameters to minor<br>
releases but this time there's no other way to implement the feature,<br>
so I have to add a new parameter ssl_ciphers.<br></blockquote><div><br></div><div>I agree this is the right way to go, to make an exception in this case and back-port</div><div>the patch to all supported branches.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
The main changes to the code are fairly small (in src/utils/pool_ssl.c):<br>
<br>
+ /* set up the allowed cipher list */<br>
+ error = SSL_CTX_set_cipher_list(cp->ssl_ctx, pool_config->ssl_ciphers);<br>
SSL_RETURN_ERROR_IF((error != 1), "Setting allowed cipher list");<br>
+<br>
+ /* Let server choose order */<br>
+ SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);<br>
+<br>
<br>
SSL_CTX_set_cipher_list() limits the cipher<br>
list. SSL_CTX_set_options() is needed to reject client's request for<br>
ciphers not in the cipher list.<br>
<br>
Attached is the patch for master branch.<br></blockquote><div><br></div><div>The patch looks fine, One small comment is, do you think we should make <br></div><div>the <font face="monospace, monospace">SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);</font> call<br></div><div>conditional with some new configuration parameter (similar to PostgreSQL's <font face="monospace, monospace">ssl_prefer_server_ciphers</font> config)<br></div><div>and set the default value of that parameter to "off", so that minor version upgrades<br></div><div>keep the consistent behaviour, and users gets the option to use server or client cipher preference. </div><div><br></div><div>Thanks</div><div>Best Regards</div><div>Muhammad Usama</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
We schedule to release minor releases on Friday, March 29th.<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
_______________________________________________<br>
pgpool-hackers mailing list<br>
<a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
<a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
</blockquote></div></div>