On Thu, Dec 12, 2013 at 01:33:57PM +0100, Magnus Hagander wrote:
> On Thu, Dec 12, 2013 at 11:30 AM, Marko Kreen <[email protected]> wrote:
> > On Wed, Dec 11, 2013 at 10:08:44PM -0500, Tom Lane wrote:
> > I know that SChannel SSL library in Windows XP (and earlier) is such
> > RC4+3DES only implementation, but I have not heard about anything
> > using it to connect to Postgres.
> >
> > Also I have not heard about any Postgres clients actually allowing
> > to configure ciphers, so my impression all client libraries
> > use defaults, which usually prefer AES anyway.
> >
>
> I don't know, but I would assume that npgsql which sit on top of dotnet,
> would sit on top of schannel in the end.
Probably yes.
> That said, this is XP and earlier, right? Newer versions of Windows have
> better defaults?
Yes, since Vista it supports AES:
http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651%28v=vs.85%29.aspx
> > So my new proposal would be to pick one from following defaults:
> >
> > 1) HIGH:+3DES:!aNULL - disables RC4, orders 3DES last.
> >
> > 2) HIGH:MEDIUM:+3DES:!aNULL - no suite changes from current one,
> > except 3DES is ordered last.
> >
> > +3DES reorders already picked 3DES suites to the end. As my
> > impression is that no clients ever have actually used 3DES,
> > it's fine to use !3DES there. It's clearer too. But if max
> > compatibility is goal, then +3DES is better.
> >
> > It's not as nice and simple as I hoped though. :(
> >
>
> We definitely want to explain in a comment next to the default value the
> exact reasoning behind the default value, I think. That doesn't mean people
> will understand it, but it means they at least have a chance.
>
> That said, #2 seems reasonable I think, but I wouldn't object to #1 either
> :)
Although I don't think that making .NET users on XP use 3DES is a big
problem, there is also no urgent need to drop RC4, as long as all
reasonable alternatives are used first.
Attached patch changes default ciphersuite to HIGH:MEDIUM:+3DES:!aNULL
and also adds documentation about reasoning for it. (I tried to be
consistent there about "cipher" vs. "cipher suite", not sure whether
I succeeded.)
Summary: this default with previous server-order-first patch make sure
that MEDIUM ciphers are never picked accidentally (eg. the bad default
in Java 6), but only when explicitly requested or when only alternative
is 3DES.
--
marko
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 8896988..2755f55 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -876,12 +876,62 @@ include 'filename'
</indexterm>
<listitem>
<para>
- Specifies a list of <acronym>SSL</> ciphers that are allowed to be
+ Specifies a list of <acronym>SSL</> cipher suites that are allowed to be
used on secure connections. See
the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page
in the <application>OpenSSL</> package for the syntax of this setting
- and a list of supported values. The default value is usually
- reasonable, unless you have specific security requirements.
+ and a list of supported values. The default value is
+ <literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable,
+ unless you have specific security requirements.
+ </para>
+ <para>
+ Explanation for default value:
+ <variablelist>
+ <varlistentry>
+ <term><literal>HIGH</literal></term>
+ <listitem>
+ <para>
+ Cipher suites that use ciphers from <literal>HIGH</> section.
+ (AES, Camellia, 3DES)
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>MEDIUM</literal></term>
+ <listitem>
+ <para>
+ Cipher suites that use ciphers from <literal>MEDIUM</> section.
+ (RC4, SEED)
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>+3DES</literal></term>
+ <listitem>
+ <para>
+ OpenSSL default order for <literal>HIGH</> is problematic as it orders 3DES
+ higher than AES128. This is wrong as 3DES offers less security than AES128
+ and it is also much slower. <literal>+3DES</> reorders it after all other
+ <literal>HIGH</> and <literal>MEDIUM</> ciphers.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>!aNULL</literal></term>
+ <listitem>
+ <para>
+ Disables anonymous cipher suites that do no authentication.
+ Such cipher suites are vulnerable to a "man in the middle"
+ attack and so should not be used.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ Available cipher suite details will vary across OpenSSL versions, these values
+ are taken from <application>OpenSSL</> 1.0.1. Use command
+ <literal>openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</literal>
+ to see actual details for currently installed <application>OpenSSL</> version.
+ Note that this list is filtered on runtime based on server key type.
</para>
</listitem>
</varlistentry>
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index e69e132..0ad02e8 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -3156,7 +3156,7 @@ static struct config_string ConfigureNamesString[] =
},
&SSLCipherSuites,
#ifdef USE_SSL
- "DEFAULT:!LOW:!EXP:!MD5:@STRENGTH",
+ "HIGH:MEDIUM:+3DES:!aNULL",
#else
"none",
#endif
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index f8bdce3..aff9f84 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -79,7 +79,7 @@
#authentication_timeout = 1min # 1s-600s
#ssl = off # (change requires restart)
-#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
# (change requires restart)
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
