On Thu, Dec 12, 2013 at 01:33:57PM +0100, Magnus Hagander wrote: > On Thu, Dec 12, 2013 at 11:30 AM, Marko Kreen <mark...@gmail.com> wrote: > > On Wed, Dec 11, 2013 at 10:08:44PM -0500, Tom Lane wrote: > > I know that SChannel SSL library in Windows XP (and earlier) is such > > RC4+3DES only implementation, but I have not heard about anything > > using it to connect to Postgres. > > > > Also I have not heard about any Postgres clients actually allowing > > to configure ciphers, so my impression all client libraries > > use defaults, which usually prefer AES anyway. > > > > I don't know, but I would assume that npgsql which sit on top of dotnet, > would sit on top of schannel in the end.
Probably yes. > That said, this is XP and earlier, right? Newer versions of Windows have > better defaults? Yes, since Vista it supports AES: http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651%28v=vs.85%29.aspx > > So my new proposal would be to pick one from following defaults: > > > > 1) HIGH:+3DES:!aNULL - disables RC4, orders 3DES last. > > > > 2) HIGH:MEDIUM:+3DES:!aNULL - no suite changes from current one, > > except 3DES is ordered last. > > > > +3DES reorders already picked 3DES suites to the end. As my > > impression is that no clients ever have actually used 3DES, > > it's fine to use !3DES there. It's clearer too. But if max > > compatibility is goal, then +3DES is better. > > > > It's not as nice and simple as I hoped though. :( > > > > We definitely want to explain in a comment next to the default value the > exact reasoning behind the default value, I think. That doesn't mean people > will understand it, but it means they at least have a chance. > > That said, #2 seems reasonable I think, but I wouldn't object to #1 either > :) Although I don't think that making .NET users on XP use 3DES is a big problem, there is also no urgent need to drop RC4, as long as all reasonable alternatives are used first. Attached patch changes default ciphersuite to HIGH:MEDIUM:+3DES:!aNULL and also adds documentation about reasoning for it. (I tried to be consistent there about "cipher" vs. "cipher suite", not sure whether I succeeded.) Summary: this default with previous server-order-first patch make sure that MEDIUM ciphers are never picked accidentally (eg. the bad default in Java 6), but only when explicitly requested or when only alternative is 3DES. -- marko
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 8896988..2755f55 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -876,12 +876,62 @@ include 'filename' </indexterm> <listitem> <para> - Specifies a list of <acronym>SSL</> ciphers that are allowed to be + Specifies a list of <acronym>SSL</> cipher suites that are allowed to be used on secure connections. See the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page in the <application>OpenSSL</> package for the syntax of this setting - and a list of supported values. The default value is usually - reasonable, unless you have specific security requirements. + and a list of supported values. The default value is + <literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable, + unless you have specific security requirements. + </para> + <para> + Explanation for default value: + <variablelist> + <varlistentry> + <term><literal>HIGH</literal></term> + <listitem> + <para> + Cipher suites that use ciphers from <literal>HIGH</> section. + (AES, Camellia, 3DES) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>MEDIUM</literal></term> + <listitem> + <para> + Cipher suites that use ciphers from <literal>MEDIUM</> section. + (RC4, SEED) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>+3DES</literal></term> + <listitem> + <para> + OpenSSL default order for <literal>HIGH</> is problematic as it orders 3DES + higher than AES128. This is wrong as 3DES offers less security than AES128 + and it is also much slower. <literal>+3DES</> reorders it after all other + <literal>HIGH</> and <literal>MEDIUM</> ciphers. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>!aNULL</literal></term> + <listitem> + <para> + Disables anonymous cipher suites that do no authentication. + Such cipher suites are vulnerable to a "man in the middle" + attack and so should not be used. + </para> + </listitem> + </varlistentry> + </variablelist> + Available cipher suite details will vary across OpenSSL versions, these values + are taken from <application>OpenSSL</> 1.0.1. Use command + <literal>openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</literal> + to see actual details for currently installed <application>OpenSSL</> version. + Note that this list is filtered on runtime based on server key type. </para> </listitem> </varlistentry> diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index e69e132..0ad02e8 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -3156,7 +3156,7 @@ static struct config_string ConfigureNamesString = }, &SSLCipherSuites, #ifdef USE_SSL - "DEFAULT:!LOW:!EXP:!MD5:@STRENGTH", + "HIGH:MEDIUM:+3DES:!aNULL", #else "none", #endif diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index f8bdce3..aff9f84 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -79,7 +79,7 @@ #authentication_timeout = 1min # 1s-600s #ssl = off # (change requires restart) -#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers # (change requires restart) #ssl_prefer_server_ciphers = on # (change requires restart) #ssl_ecdh_curve = 'prime256v1' # (change requires restart)
-- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers