This patch adds two new configuration diretives to postgresql.conf file
1. ssl_ciphers - allows server administrator to specify set of SSL
ciphersuites which can be used by clients to connect the server.
2. ssl_engine - allows to specify loadable crypto engin (i.e. hardware
crypto accelerator support) to use.
diff -crN ../pgsql-20060830/doc/src/sgml/config.sgml ./doc/src/sgml/config.sgml
*** ../pgsql-20060830/doc/src/sgml/config.sgml 2006-08-30 16:01:12.000000000
+0400
--- ./doc/src/sgml/config.sgml 2006-08-30 16:04:11.000000000 +0400
***************
*** 555,561 ****
</para>
</listitem>
</varlistentry>
!
<varlistentry id="guc-password-encryption"
xreflabel="password_encryption">
<term><varname>password_encryption</varname>
(<type>boolean</type>)</term>
<indexterm>
--- 555,596 ----
</para>
</listitem>
</varlistentry>
! <varlistentry id="guc-ssl-ciphers" xreflabel="ssl-ciphers">
! <term><varname>ssl_ciphers> (<type>string</type>)</term>
! <indexterm>
! <primary><varname>ssl_ciphers</> configuration
parameter</primary>
! </indexterm>
! <listitem>
! <para>
! Specifies list of <acronym>SSL</> ciphers, which can be used to
! establish secure connection. See manual page for
! <command>openssl ciphers</command>
! command to find list of allowed values and their semantics.
! </para>
! </listitem>
! </varlistentry>
! <varlistentry id="guc-ssl-engine" xreflabel="ssl-engine">
! <term><varname>ssl_engine</> (<type>string</type>)</term>
! <indexterm>
! <primary><varname>ssl_engine</> configuration
parameter</primary>
! </indexterm>
! <listitem>
! <para>
! Specifies name of <productname>OpenSSL</> engine (loadable
module),
! which should be used to perform cryptographic operation during
! <acronym>SSL</> connections. Typically engines are used to
! support hardware cryptographic accelerators. See
! <productname>OpenSSL</> documentation for more information about
! engines.
! </para>
! <para>
! Value of this option is engine identifier. Deafault value is
! NULL, which means that default <productname>OpenSSL</>
! implementations of cryptoalgorithms should be used.
! </para>
! </listitem>
! </varlistentry>
!
<varlistentry id="guc-password-encryption"
xreflabel="password_encryption">
<term><varname>password_encryption</varname>
(<type>boolean</type>)</term>
<indexterm>
diff -crN ../pgsql-20060830/doc/src/sgml/runtime.sgml
./doc/src/sgml/runtime.sgml
*** ../pgsql-20060830/doc/src/sgml/runtime.sgml 2006-08-30 16:01:12.000000000
+0400
--- ./doc/src/sgml/runtime.sgml 2006-08-30 16:04:11.000000000 +0400
***************
*** 1516,1521 ****
--- 1516,1539 ----
</para>
<para>
+ <productname>OpenSSL</productname> supports wide range of ciphers
+ and authentication algorithms, which strength varies significantly.
+ You can restrict list of ciphers which can be used to connect to
+ your server using <xref linkend="guc-ssl-ciphers"> parameter.
+ </para>
+
+ <para>
+ <productname>OpenSSL</productname> supports loadable module, called
+ engines, which can provide alternative (typically hardware
+ accelerated) implementation of cryptographic algorithms. Starting
+ with version 0.9.9 it also supports adding of new (for instance
+ Russian or Japanese national standards) cryptoalgorithms via engine.
+ </para>
+ <para>
+ <productname>PostgreSQL</> allows to specify engine to use via
+ <xref linkend="guc-ssl-engine"> configuration file parameter.
+ </para>
+ <para>
For details on how to create your server private key and certificate,
refer to the <productname>OpenSSL</> documentation. A
self-signed certificate can be used for testing, but a
diff -crN ../pgsql-20060830/src/backend/libpq/be-secure.c
./src/backend/libpq/be-secure.c
*** ../pgsql-20060830/src/backend/libpq/be-secure.c 2006-08-30
16:01:28.000000000 +0400
--- ./src/backend/libpq/be-secure.c 2006-08-30 16:04:11.000000000 +0400
***************
*** 92,97 ****
--- 92,98 ----
#ifdef USE_SSL
#include <openssl/ssl.h>
#include <openssl/dh.h>
+ #include <openssl/engine.h>
#endif
#include "libpq/libpq.h"
***************
*** 125,130 ****
--- 126,136 ----
#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
static SSL_CTX *SSL_context = NULL;
+
+ /* GUC variables contrilling SSL connection*/
+ extern char *SSLEngine;
+ extern char *SSLCipherSuites;
+
#endif
/* ------------------------------------------------------------ */
***************
*** 714,724 ****
--- 720,755 ----
initialize_SSL(void)
{
struct stat buf;
+ static int loaded_engines=0;
if (!SSL_context)
{
SSL_library_init();
SSL_load_error_strings();
+ if (SSLEngine!=NULL)
+ {
+ ENGINE *e=NULL;
+ if (!loaded_engines)
+ {
+ ENGINE_load_builtin_engines();
+ loaded_engines=1;
+ }
+ if ((e = ENGINE_by_id(SSLEngine))==NULL)
+ {
+ ereport(FATAL,
+
(errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("failed to load engine
%s: %s",
+
SSLEngine,ERR_error_string(ERR_get_error(),NULL))));
+ }
+ if (!ENGINE_set_default(e,ENGINE_METHOD_ALL))
+ {
+ ereport(FATAL,
+
(errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("failed to enable engine
%s: %s",
+
SSLEngine,ERR_error_string(ERR_get_error(),NULL))));
+ }
+ ENGINE_free(e);
+ }
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context)
ereport(FATAL,
***************
*** 778,784 ****
SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE |
SSL_OP_NO_SSLv2);
/* setup the allowed cipher list */
! if (SSL_CTX_set_cipher_list(SSL_context,
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
elog(FATAL, "could not set the cipher list (no valid ciphers
available)");
/*
--- 809,815 ----
SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE |
SSL_OP_NO_SSLv2);
/* setup the allowed cipher list */
! if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1)
elog(FATAL, "could not set the cipher list (no valid ciphers
available)");
/*
diff -crN ../pgsql-20060830/src/backend/postmaster/postmaster.c
./src/backend/postmaster/postmaster.c
*** ../pgsql-20060830/src/backend/postmaster/postmaster.c 2006-08-30
16:01:32.000000000 +0400
--- ./src/backend/postmaster/postmaster.c 2006-08-30 16:04:11.000000000
+0400
***************
*** 186,191 ****
--- 186,193 ----
/* still more option variables */
bool EnableSSL = false;
+ char * SSLCipherSuites;
+ char * SSLEngine;
bool SilentMode = false; /* silent mode (-S) */
int PreAuthDelay = 0;
diff -crN ../pgsql-20060830/src/backend/utils/misc/guc.c
./src/backend/utils/misc/guc.c
*** ../pgsql-20060830/src/backend/utils/misc/guc.c 2006-08-30
16:01:36.000000000 +0400
--- ./src/backend/utils/misc/guc.c 2006-08-30 16:04:11.000000000 +0400
***************
*** 2233,2239 ****
&external_pid_file,
NULL, assign_canonical_path, NULL
},
!
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
--- 2233,2257 ----
&external_pid_file,
NULL, assign_canonical_path, NULL
},
! {
! {"ssl_ciphers", PGC_POSTMASTER, CONN_AUTH_SECURITY,
! gettext_noop("List of allowed SSL ciphersuites"),
! NULL,
! GUC_SUPERUSER_ONLY
! },
! &SSLCipherSuites,
! "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",NULL,NULL
! },
! {
! {"ssl_engine", PGC_POSTMASTER, CONN_AUTH_SECURITY,
! gettext_noop("Loadable cryptographic engine to use"),
! NULL,
! GUC_SUPERUSER_ONLY
! },
! &SSLEngine,
! NULL,NULL,NULL
! },
!
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
diff -crN ../pgsql-20060830/src/backend/utils/misc/postgresql.conf.sample
./src/backend/utils/misc/postgresql.conf.sample
*** ../pgsql-20060830/src/backend/utils/misc/postgresql.conf.sample
2006-08-30 16:01:36.000000000 +0400
--- ./src/backend/utils/misc/postgresql.conf.sample 2006-08-30
16:11:40.000000000 +0400
***************
*** 71,76 ****
--- 71,78 ----
#authentication_timeout = 60 # 1-600, in seconds
#ssl = off # (change requires restart)
+ #ssl_engine = 'ncipher' # Name of the OpenSSL engine to use
+ #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # List of ciphers to use
#password_encryption = on
#db_user_namespace = off
diff -crN ../pgsql-20060830/src/include/postmaster/postmaster.h
./src/include/postmaster/postmaster.h
*** ../pgsql-20060830/src/include/postmaster/postmaster.h 2006-08-30
16:01:42.000000000 +0400
--- ./src/include/postmaster/postmaster.h 2006-08-30 16:04:11.000000000
+0400
***************
*** 15,20 ****
--- 15,22 ----
/* GUC options */
extern bool EnableSSL;
+ extern char *SSLCipherSuites;
+ extern char *SSLEngine;
extern bool SilentMode;
extern int ReservedBackends;
extern int PostPortNumber;
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
