The ssl_ciphers GUC can only set cipher suites for TLSv1.2, and lower,
connections. For TLSv1.3 connections a different OpenSSL API must be
used. This adds a new GUC, ssl_tls13_ciphers, which can be used to
configure a colon separated list of cipher suites to support when
performing a TLSv1.3 handshake.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang
Author: Daniel Gustafsson
Reviewed-by: Jacob Champion
Reviewed-by: Andres Freund
Reviewed-by: Peter Eisentraut
Reviewed-by: Jelte Fennema-Nio
Discussion: https://postgr.es/m/[email protected]
+
+ ssl_tls13_ciphers (string)
+
+
ssl_tls13_ciphers configuration parameter+
+
+
+ Specifies a list of cipher suites that are allowed by connections using
+
TLS version 1.3. Multiple cipher suites can be
+ specified by using a colon separated list. If left blank, the default
+ set of cipher suites in
OpenSSL will be used.
+
+
+ This parameter can only be set in the
+ postgresql.conf file or on the server command
+ line.
+
+
+
+
ssl_ciphers (string)
- Specifies a list of
SSL cipher suites that are
- allowed to be used by SSL connections. See the
- ciphers
+ Specifies a list of
SSL ciphers that are allowed by
+ connections using TLS version 1.2 and lower, see
+ for TLS version 1.3 connections. See
+ the ciphers
manual page in the
OpenSSL package for the
- syntax of this setting and a list of supported values. Only
- connections using TLS version 1.2 and lower are affected. There is
- currently no setting that controls the cipher choices used by TLS
- version 1.3 connections. The default value is
- HIGH:MEDIUM:+3DES:!aNULL. The default is usually a
+ syntax of this setting and a list of supported values. The default value
+ is HIGH:MEDIUM:+3DES:!aNULL. The default is usually a
reasonable choice unless you have specific security requirements.
if (!initialize_ecdh(context, isServerStart))
goto error;
- /* set up the allowed cipher list */
- if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
+ /* set up the allowed cipher list for TLSv1.2 and below */
+ if (SSL_CTX_set_cipher_list(context, SSLCipherList) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("could not set the cipher list (no valid ciphers available)")));
+ errmsg("could not set the TLSv1.2 cipher list (no valid ciphers available)")));
goto error;
}
+ /*
+ * Set up the allowed cipher suites for TLSv1.3. If the GUC is an empty
+ * string we leave the allowed suites to be the OpenSSL default value.
+ */
+ if (SSLCipherSuites[0])
+ {
+ /* set up the allowed cipher suites */
+ if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1)
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)")));
+ goto error;
+ }
+ }
+
/* Let server choose order */
if (SSLPreferServerCiphers)
SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
/* GUC variable controlling SSL cipher list */
char *SSLCipherSuites = NULL;
+char *SSLCipherList = NULL;
/* GUC variable for default ECHD curve. */
char *SSLECDHCurve;
},
{
- {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
- gettext_noop("Sets the list of allowed SSL ciphers."),
+ {"ssl_tls13_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Sets the list of allowed TLSv1.3 cipher suites (leave blank for default)."),
NULL,
GUC_SUPERUSER_ONLY
},
&SSLCipherSuites,
+ "",
+ NULL, NULL, NULL
+ },
+
+ {
+ {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Sets the list of allowed TLSv1.2 (and lower) ciphers."),
+ NULL,
+ GUC_SUPERUSER_ONLY
+ },
+ &SSLCipherList,
#ifdef USE_OPENSSL
"HIGH:MEDIUM:+3DES:!aNULL",
#else
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
-#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers
+#ssl_tls13_ciphers = '' # allowed TLSv1.3 cipher suites, blank for default
#ssl_prefer_server_ciphers = on
#ssl_groups = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
/* GUCs */
extern PGDLLIMPORT char *SSLCipherSuites;
+extern PGDLLIMPORT char *SSLCipherList;
extern PGDLLIMPORT char *SSLECDHCurve;
extern PGDLLIMPORT bool SSLPreferServerCiphers;
extern PGDLLIMPORT int ssl_min_protocol_version;
ok(unlink($node->data_dir . '/sslconfig.conf'));
$node->append_conf('sslconfig.conf', "ssl=on");
$node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params));
- # use lists of ECDH curves for syntax testing
+ # use lists of ECDH curves and cipher suites for syntax testing
$node->append_conf('sslconfig.conf', 'ssl_groups=prime256v1:secp521r1');
+ $node->append_conf('sslconfig.conf', 'ssl_tls13_ciphers=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256');
$node->append_conf('sslconfig.conf',
"ssl_passphrase_command='" . $params{passphrase_cmd} . "'")
projects / postgresql.git / commitdiff