On Fri, May 21, 2021 at 10:41:34AM +0900, Michael Paquier wrote: > This one can be set within ssl->s3->flags in the port information. > Still that's not completely feasable either as some versions of > OpenSSL hide the internals of a bunch of internal structures, and some > distributions patch the upstream code? At the end of the day, I think > that I would stick with simplicity and use SSL_OP_NO_RENEGOTIATION. > It is not our job to go around any decision OpenSSL has poorly done > either over the years. At least this part is officially documented :)
I got to look at that in details, and the attached would be able to do the job with OpenSSL 1.0.2 and older versions. The main idea is to set up SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS once the SSL object is created when opening the TLS connection to business. I have tested that down to 0.9.8 on all supported branches with the protocols we support (heads up to ssl_min_protocol_version here), and that looks to work as I'd expect. It is not a good idea to rely on OPENSSL_VERSION_NUMBER for such version checks as I am doing here, as we've been bitten with compatibility with LibreSSL in the past. So this had better use a check based on HAVE_OPENSSL_INIT_SSL to make sure that 1.1.0 is the version of OpenSSL used. Anyway, I really don't like using this undocumented option, and there is nothing that can be done with OpenSSL < 1.1.0h in the 1.1.0 series as the s3 part of the *SSL object gets hidden to the application, so it is not possible to set SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS there. And so, I would like to stick with a backpatch here, only for the part of the patch involving be_tls_init(). Full patch is attached for reference. While on it, I have added a comment about TLSv1.2 being the last protocol supporting renegotiation. Any objections? -- Michael
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index c4e8113241..4552db5b43 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -251,6 +251,15 @@ be_tls_init(bool isServerStart) /* disallow SSL compression */ SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION); +#ifdef SSL_OP_NO_RENEGOTIATION + /* + * Disallow SSL renegotiation, option available since 1.1.0h. This + * concerns only TLSv1.2 and older protocol versions, as TLSv1.3 has + * no support for renegotiation. + */ + SSL_CTX_set_options(context, SSL_OP_NO_RENEGOTIATION); +#endif + /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) goto error; @@ -430,6 +439,15 @@ be_tls_open_server(Port *port) } port->ssl_in_use = true; +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && (OPENSSL_VERSION_NUMBER < 0x10100000L) + /* + * Disallow SSL renegotiation. SSL_OP_NO_RENEGOTIATION is not available + * in OpenSSL 1.0.2 and older versions, but this undocumented option + * allows to achieve the same goal. + */ + port->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; +#endif + aloop: /*
signature.asc
Description: PGP signature
