This patch adds two new configuration diretives to postgresql.conf file

1. ssl_ciphers  - allows server administrator to  specify set of SSL
ciphersuites which can be used by clients to connect  the server.

2. ssl_engine - allows  to specify loadable crypto engin (i.e. hardware
crypto accelerator support) to use.


diff -crN ../pgsql-20060830/doc/src/sgml/config.sgml ./doc/src/sgml/config.sgml
*** ../pgsql-20060830/doc/src/sgml/config.sgml  2006-08-30 16:01:12.000000000 
+0400
--- ./doc/src/sgml/config.sgml  2006-08-30 16:04:11.000000000 +0400
***************
*** 555,561 ****
         </para>
        </listitem>
       </varlistentry>
! 
       <varlistentry id="guc-password-encryption" 
xreflabel="password_encryption">
        <term><varname>password_encryption</varname> 
(<type>boolean</type>)</term>
        <indexterm>
--- 555,596 ----
         </para>
        </listitem>
       </varlistentry>
!        <varlistentry id="guc-ssl-ciphers" xreflabel="ssl-ciphers">
!        <term><varname>ssl_ciphers> (<type>string</type>)</term>
!        <indexterm>
!               <primary><varname>ssl_ciphers</> configuration 
parameter</primary>
!        </indexterm>
!        <listitem>
!         <para>
!               Specifies list of <acronym>SSL</> ciphers, which can be used to
!               establish secure connection. See manual page for
!               <command>openssl ciphers</command>
!               command to find list of allowed values and their semantics.
!         </para>       
!        </listitem>
!        </varlistentry>
!        <varlistentry id="guc-ssl-engine" xreflabel="ssl-engine">
!        <term><varname>ssl_engine</> (<type>string</type>)</term>
!        <indexterm>
!               <primary><varname>ssl_engine</> configuration 
parameter</primary>
!        </indexterm>
!        <listitem>
!         <para>
!               Specifies name of <productname>OpenSSL</> engine (loadable 
module),
!               which should be used to perform cryptographic operation during
!               <acronym>SSL</> connections. Typically engines are used to
!               support hardware cryptographic accelerators. See
!               <productname>OpenSSL</> documentation for more information about
!               engines.
!        </para>
!          <para>
!          Value of this option is engine identifier. Deafault value is
!          NULL, which means that default <productname>OpenSSL</>
!          implementations of cryptoalgorithms should be used.
!         </para>       
!        </listitem>
!        </varlistentry>
!        
       <varlistentry id="guc-password-encryption" 
xreflabel="password_encryption">
        <term><varname>password_encryption</varname> 
(<type>boolean</type>)</term>
        <indexterm>
diff -crN ../pgsql-20060830/doc/src/sgml/runtime.sgml 
./doc/src/sgml/runtime.sgml
*** ../pgsql-20060830/doc/src/sgml/runtime.sgml 2006-08-30 16:01:12.000000000 
+0400
--- ./doc/src/sgml/runtime.sgml 2006-08-30 16:04:11.000000000 +0400
***************
*** 1516,1521 ****
--- 1516,1539 ----
    </para>
  
    <para>
+       <productname>OpenSSL</productname> supports wide range of ciphers
+       and authentication algorithms, which strength varies significantly.
+       You can restrict list of ciphers which can be used to connect to
+       your server using  <xref linkend="guc-ssl-ciphers"> parameter.
+   </para>
+ 
+   <para>
+     <productname>OpenSSL</productname> supports loadable module, called
+       engines, which can provide alternative (typically hardware
+       accelerated) implementation of cryptographic algorithms. Starting
+       with version 0.9.9 it also supports adding of new (for instance
+       Russian or Japanese national standards) cryptoalgorithms via engine.
+   </para>
+   <para>
+     <productname>PostgreSQL</> allows to specify engine to use via
+       <xref linkend="guc-ssl-engine"> configuration file parameter.
+   </para>     
+   <para>
     For details on how to create your server private key and certificate,
     refer to the <productname>OpenSSL</> documentation. A
     self-signed certificate can be used for testing, but a
diff -crN ../pgsql-20060830/src/backend/libpq/be-secure.c 
./src/backend/libpq/be-secure.c
*** ../pgsql-20060830/src/backend/libpq/be-secure.c     2006-08-30 
16:01:28.000000000 +0400
--- ./src/backend/libpq/be-secure.c     2006-08-30 16:04:11.000000000 +0400
***************
*** 92,97 ****
--- 92,98 ----
  #ifdef USE_SSL
  #include <openssl/ssl.h>
  #include <openssl/dh.h>
+ #include <openssl/engine.h> 
  #endif
  
  #include "libpq/libpq.h"
***************
*** 125,130 ****
--- 126,136 ----
  #define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
  
  static SSL_CTX *SSL_context = NULL;
+ 
+ /* GUC variables contrilling SSL connection*/
+ extern char *SSLEngine;
+ extern char *SSLCipherSuites;
+ 
  #endif
  
  /* ------------------------------------------------------------ */
***************
*** 714,724 ****
--- 720,755 ----
  initialize_SSL(void)
  {
        struct stat buf;
+       static int loaded_engines=0;
  
        if (!SSL_context)
        {
                SSL_library_init();
                SSL_load_error_strings();
+               if (SSLEngine!=NULL) 
+               {
+                       ENGINE *e=NULL;
+                       if (!loaded_engines) 
+                       {
+                               ENGINE_load_builtin_engines();
+                               loaded_engines=1;
+                       }
+                       if ((e = ENGINE_by_id(SSLEngine))==NULL) 
+                       {
+                               ereport(FATAL,
+                                               
(errcode(ERRCODE_CONFIG_FILE_ERROR),
+                                               errmsg("failed to load engine 
%s: %s",
+                                                       
SSLEngine,ERR_error_string(ERR_get_error(),NULL))));    
+                       }
+                       if (!ENGINE_set_default(e,ENGINE_METHOD_ALL))
+                       {
+                               ereport(FATAL,
+                                               
(errcode(ERRCODE_CONFIG_FILE_ERROR),
+                                               errmsg("failed to enable engine 
%s: %s",
+                                                       
SSLEngine,ERR_error_string(ERR_get_error(),NULL))));
+                       }
+                       ENGINE_free(e);
+               }
                SSL_context = SSL_CTX_new(SSLv23_method());
                if (!SSL_context)
                        ereport(FATAL,
***************
*** 778,784 ****
        SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | 
SSL_OP_NO_SSLv2);
  
        /* setup the allowed cipher list */
!       if (SSL_CTX_set_cipher_list(SSL_context, 
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
                elog(FATAL, "could not set the cipher list (no valid ciphers 
available)");
  
        /*
--- 809,815 ----
        SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | 
SSL_OP_NO_SSLv2);
  
        /* setup the allowed cipher list */
!       if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1)
                elog(FATAL, "could not set the cipher list (no valid ciphers 
available)");
  
        /*
diff -crN ../pgsql-20060830/src/backend/postmaster/postmaster.c 
./src/backend/postmaster/postmaster.c
*** ../pgsql-20060830/src/backend/postmaster/postmaster.c       2006-08-30 
16:01:32.000000000 +0400
--- ./src/backend/postmaster/postmaster.c       2006-08-30 16:04:11.000000000 
+0400
***************
*** 186,191 ****
--- 186,193 ----
  
  /* still more option variables */
  bool          EnableSSL = false;
+ char *                SSLCipherSuites;
+ char *                SSLEngine;
  bool          SilentMode = false; /* silent mode (-S) */
  
  int                   PreAuthDelay = 0;
diff -crN ../pgsql-20060830/src/backend/utils/misc/guc.c 
./src/backend/utils/misc/guc.c
*** ../pgsql-20060830/src/backend/utils/misc/guc.c      2006-08-30 
16:01:36.000000000 +0400
--- ./src/backend/utils/misc/guc.c      2006-08-30 16:04:11.000000000 +0400
***************
*** 2233,2239 ****
                &external_pid_file,
                NULL, assign_canonical_path, NULL
        },
! 
        /* End-of-list marker */
        {
                {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
--- 2233,2257 ----
                &external_pid_file,
                NULL, assign_canonical_path, NULL
        },
!       {
!               {"ssl_ciphers", PGC_POSTMASTER, CONN_AUTH_SECURITY,
!                       gettext_noop("List of allowed SSL ciphersuites"),
!                       NULL,
!                       GUC_SUPERUSER_ONLY
!               },
!               &SSLCipherSuites,
!               "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",NULL,NULL
!     },
!       {
!               {"ssl_engine", PGC_POSTMASTER, CONN_AUTH_SECURITY,
!                       gettext_noop("Loadable cryptographic engine to use"),
!                       NULL,
!                       GUC_SUPERUSER_ONLY
!               },
!               &SSLEngine,
!               NULL,NULL,NULL
!       },              
!                       
        /* End-of-list marker */
        {
                {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
diff -crN ../pgsql-20060830/src/backend/utils/misc/postgresql.conf.sample 
./src/backend/utils/misc/postgresql.conf.sample
*** ../pgsql-20060830/src/backend/utils/misc/postgresql.conf.sample     
2006-08-30 16:01:36.000000000 +0400
--- ./src/backend/utils/misc/postgresql.conf.sample     2006-08-30 
16:11:40.000000000 +0400
***************
*** 71,76 ****
--- 71,78 ----
  
  #authentication_timeout = 60          # 1-600, in seconds
  #ssl = off                            # (change requires restart)
+ #ssl_engine = 'ncipher' # Name of the OpenSSL engine to use
+ #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # List of ciphers to use
  #password_encryption = on
  #db_user_namespace = off
  
diff -crN ../pgsql-20060830/src/include/postmaster/postmaster.h 
./src/include/postmaster/postmaster.h
*** ../pgsql-20060830/src/include/postmaster/postmaster.h       2006-08-30 
16:01:42.000000000 +0400
--- ./src/include/postmaster/postmaster.h       2006-08-30 16:04:11.000000000 
+0400
***************
*** 15,20 ****
--- 15,22 ----
  
  /* GUC options */
  extern bool EnableSSL;
+ extern char *SSLCipherSuites;
+ extern char *SSLEngine;
  extern bool SilentMode;
  extern int    ReservedBackends;
  extern int    PostPortNumber;
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Reply via email to