Re: [PATCHES] SSL enhancement patch ver.2
Patch applied --- SSL improvements: o read global SSL configuration file o add GUC ssl_ciphers to control allowed ciphers o add libpq environment variable PGSSLKEY to control SSL hardware keys I adjusted the documentation wording and some of the single-letter variable names you used --- the applied verison is attached. Thanks. --- Victor B. Wagner wrote: This patch adds following functionality to PostgreSQL 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, both backend and libpq read site-wide OpenSSL configuration file as described in OPENSSL_config functon manual page. This allows to use hardware crypto acceleration modules (engines) and, in future version 0.9.9 would allow to use additional cryptoalgorithms (i.e. national standards) which are not included in core OpenSSL. All other configuration parameters which are supported by OpenSSL library also are taken into account. 2. New configuration option ssl_ciphers is added to postgresql.conf. This option allows to change list of ciphers, acceptable by backend during SSL connection. Changing list of ciphers can be desirable to tighten or relax security of particular installation, and allows quick fix on configuration file level in case if vulnerability is discovered in one of cryptoalgorithms or their OpenSSL implementation - cipher suites which use such algorithm can be easily disabled. 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine support, it is possible to store secret key of client certificate on the hardware token, supported by one of OpenSSL engines (Hardware Security Module). Name of engine which supports token and engine-specific key ID are specifyed using environment variable PGSSLKEY. This allows use of hardware tokens such as smartcards to identify clients, connecting to database. This functionality can be used in installations with high security requirements or in situations where several people can use same terminal (such as cash register in shops or malls). If PostgreSQL is compiled with version of OpenSSL which do not support engines or doesn't have OPENSSL_config function, related functionality is excluded by preprocessor conditionals, based on value of SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all versions of OpenSSL. [ Attachment, skipping... ] ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings -- Bruce Momjian [EMAIL PROTECTED] http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/config.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v retrieving revision 1.110 diff -c -c -r1.110 config.sgml *** doc/src/sgml/config.sgml 8 Feb 2007 15:46:03 - 1.110 --- doc/src/sgml/config.sgml 16 Feb 2007 01:26:20 - *** *** 569,574 --- 569,588 /listitem /varlistentry + varlistentry id=guc-ssl-ciphers xreflabel=ssl-ciphers + termvarnamessl_ciphers (typestring/type)/term + indexterm +primaryvarnamessl_ciphers/ configuration parameter/primary + /indexterm + listitem +para + Specifies a list of acronymSSL/ ciphers which can be used to + establish secure connections. See the applicationopenssl/ + manual page for a list of supported ciphers. +/para + /listitem + /varlistentry + varlistentry id=guc-password-encryption xreflabel=password_encryption termvarnamepassword_encryption/varname (typeboolean/type)/term indexterm Index: doc/src/sgml/libpq.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.228 diff -c -c -r1.228 libpq.sgml *** doc/src/sgml/libpq.sgml 6 Feb 2007 03:03:11 - 1.228 --- doc/src/sgml/libpq.sgml 16 Feb 2007 01:26:22 - *** *** 4175,4180 --- 4175,4192 listitem para indexterm + primaryenvarPGSSLKEY/envar/primary + /indexterm + envarPGSSLKEY/envar + specifies the hardware token which stores the secret key for the client + certificate, instead of a file. The value of this variable should consist + of a colon-separated engine name (engines are productnameOpenSSL/ + loadable modules) and an engine-specific key identifier. + /para + /listitem + listitem + para + indexterm primaryenvarPGKRBSRVNAME/envar/primary /indexterm envarPGKRBSRVNAME/envar sets the Kerberos service name to use when *** *** 4438,4457 for increased security. See xref linkend=ssl-tcp for details about the server-side acronymSSL/ functionality.
Re: [PATCHES] SSL enhancement patch ver.2
Never mind, I found the answer: http://archives.postgresql.org/pgsql-hackers/2006-08/msg01931.php Working on the patch now. --- Bruce Momjian wrote: Victor B. Wagner wrote: This patch adds following functionality to PostgreSQL 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, both backend and libpq read site-wide OpenSSL configuration file as described in OPENSSL_config functon manual page. This allows to use hardware crypto acceleration modules (engines) and, in future version 0.9.9 would allow to use additional cryptoalgorithms (i.e. national standards) which are not included in core OpenSSL. All other configuration parameters which are supported by OpenSSL library also are taken into account. 2. New configuration option ssl_ciphers is added to postgresql.conf. This option allows to change list of ciphers, acceptable by backend during SSL connection. Changing list of ciphers can be desirable to tighten or relax security of particular installation, and allows quick fix on configuration file level in case if vulnerability is discovered in one of cryptoalgorithms or their OpenSSL implementation - cipher suites which use such algorithm can be easily disabled. Why are you adding ssl_ciphers to postgresql.conf? Can't you control that from the site-wide OpenSSL configuration file added above? -- Bruce Momjian [EMAIL PROTECTED] http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster -- Bruce Momjian [EMAIL PROTECTED] http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org
Re: [PATCHES] SSL enhancement patch ver.2
Your patch has been added to the PostgreSQL unapplied patches list at: http://momjian.postgresql.org/cgi-bin/pgpatches It will be applied as soon as one of the PostgreSQL committers reviews and approves it. --- Victor B. Wagner wrote: This patch adds following functionality to PostgreSQL 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, both backend and libpq read site-wide OpenSSL configuration file as described in OPENSSL_config functon manual page. This allows to use hardware crypto acceleration modules (engines) and, in future version 0.9.9 would allow to use additional cryptoalgorithms (i.e. national standards) which are not included in core OpenSSL. All other configuration parameters which are supported by OpenSSL library also are taken into account. 2. New configuration option ssl_ciphers is added to postgresql.conf. This option allows to change list of ciphers, acceptable by backend during SSL connection. Changing list of ciphers can be desirable to tighten or relax security of particular installation, and allows quick fix on configuration file level in case if vulnerability is discovered in one of cryptoalgorithms or their OpenSSL implementation - cipher suites which use such algorithm can be easily disabled. 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine support, it is possible to store secret key of client certificate on the hardware token, supported by one of OpenSSL engines (Hardware Security Module). Name of engine which supports token and engine-specific key ID are specifyed using environment variable PGSSLKEY. This allows use of hardware tokens such as smartcards to identify clients, connecting to database. This functionality can be used in installations with high security requirements or in situations where several people can use same terminal (such as cash register in shops or malls). If PostgreSQL is compiled with version of OpenSSL which do not support engines or doesn't have OPENSSL_config function, related functionality is excluded by preprocessor conditionals, based on value of SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all versions of OpenSSL. [ Attachment, skipping... ] ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings -- Bruce Momjian [EMAIL PROTECTED] http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [PATCHES] SSL enhancement patch ver.2
This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold --- Victor B. Wagner wrote: This patch adds following functionality to PostgreSQL 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, both backend and libpq read site-wide OpenSSL configuration file as described in OPENSSL_config functon manual page. This allows to use hardware crypto acceleration modules (engines) and, in future version 0.9.9 would allow to use additional cryptoalgorithms (i.e. national standards) which are not included in core OpenSSL. All other configuration parameters which are supported by OpenSSL library also are taken into account. 2. New configuration option ssl_ciphers is added to postgresql.conf. This option allows to change list of ciphers, acceptable by backend during SSL connection. Changing list of ciphers can be desirable to tighten or relax security of particular installation, and allows quick fix on configuration file level in case if vulnerability is discovered in one of cryptoalgorithms or their OpenSSL implementation - cipher suites which use such algorithm can be easily disabled. 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine support, it is possible to store secret key of client certificate on the hardware token, supported by one of OpenSSL engines (Hardware Security Module). Name of engine which supports token and engine-specific key ID are specifyed using environment variable PGSSLKEY. This allows use of hardware tokens such as smartcards to identify clients, connecting to database. This functionality can be used in installations with high security requirements or in situations where several people can use same terminal (such as cash register in shops or malls). If PostgreSQL is compiled with version of OpenSSL which do not support engines or doesn't have OPENSSL_config function, related functionality is excluded by preprocessor conditionals, based on value of SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all versions of OpenSSL. [ Attachment, skipping... ] ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings -- Bruce Momjian [EMAIL PROTECTED] EnterpriseDBhttp://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 6: explain analyze is your friend
