Re: [PATCHES] SSL enhancement patch ver.2
Patch applied --- SSL improvements: o read global SSL configuration file o add GUC "ssl_ciphers" to control allowed ciphers o add libpq environment variable PGSSLKEY to control SSL hardware keys I adjusted the documentation wording and some of the single-letter variable names you used --- the applied verison is attached. Thanks. --- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---(end of broadcast)--- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/config.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v retrieving revision 1.110 diff -c -c -r1.110 config.sgml *** doc/src/sgml/config.sgml 8 Feb 2007 15:46:03 - 1.110 --- doc/src/sgml/config.sgml 16 Feb 2007 01:26:20 - *** *** 569,574 --- 569,588 + + ssl_ciphers> (string) + +ssl_ciphers configuration parameter + + + + Specifies a list of SSL ciphers which can be used to + establish secure connections. See the openssl + manual page for a list of supported ciphers. + + + + password_encryption (boolean) Index: doc/src/sgml/libpq.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.228 diff -c -c -r1.228 libpq.sgml *** doc/src/sgml/libpq.sgml 6 Feb 2007 03:03:11 - 1.228 --- doc/src/sgml/libpq.sgml 16 Feb 2007 01:26:22 - *** *** 4175,4180 --- 4175,4192 + PGSSLKEY + + PGSSLKEY + specifies the hardware token which stores the secret key for the client + certificate, instead of a file. The value of this variable should consist + of a colon-separated engine name (engines are OpenSSL + loadable modules) and an engine-specific key identifier. + + + + + PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use when *** *** 4438,4457 for increased security. See for details about the server-side SSL functionality. ! If the server demands a client certificate, libpq will send the certificate stored in file ~/.postgresql/postgresql.crt within the user's home directory. A matching private key file ~/.postgresql/postgresql.key !must also be present, and must not be world-readable. (On Microsoft Windows these files are named %APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key.)
Re: [PATCHES] SSL enhancement patch ver.2
Never mind, I found the answer: http://archives.postgresql.org/pgsql-hackers/2006-08/msg01931.php Working on the patch now. --- Bruce Momjian wrote: > Victor B. Wagner wrote: > > This patch adds following functionality to PostgreSQL > > > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > > both backend and libpq read site-wide OpenSSL configuration file as > > described in OPENSSL_config functon manual page. > > > > This allows to use hardware crypto acceleration modules (engines) and, > > in future version 0.9.9 would allow to use additional cryptoalgorithms > > (i.e. national standards) which are not included in core OpenSSL. > > > > All other configuration parameters which are supported by OpenSSL > > library also are taken into account. > > > > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > > This option allows to change list of ciphers, acceptable by backend > > during SSL connection. Changing list of ciphers can be desirable to > > tighten or relax security of particular installation, and allows quick > > fix on configuration file level in case if vulnerability is discovered > > in one of cryptoalgorithms or their OpenSSL implementation - cipher > > suites which use such algorithm can be easily disabled. > > Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control > that from the site-wide OpenSSL configuration file added above? > > -- > Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us > EnterpriseDB http://www.enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > ---(end of broadcast)--- > TIP 2: Don't 'kill -9' the postmaster -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org
Re: [PATCHES] SSL enhancement patch ver.2
Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control that from the site-wide OpenSSL configuration file added above? -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [PATCHES] SSL enhancement patch ver.2
Your patch has been added to the PostgreSQL unapplied patches list at: http://momjian.postgresql.org/cgi-bin/pgpatches It will be applied as soon as one of the PostgreSQL committers reviews and approves it. --- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---(end of broadcast)--- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [PATCHES] SSL enhancement patch ver.2
This has been saved for the 8.3 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold --- Victor B. Wagner wrote: > This patch adds following functionality to PostgreSQL > > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above, > both backend and libpq read site-wide OpenSSL configuration file as > described in OPENSSL_config functon manual page. > > This allows to use hardware crypto acceleration modules (engines) and, > in future version 0.9.9 would allow to use additional cryptoalgorithms > (i.e. national standards) which are not included in core OpenSSL. > > All other configuration parameters which are supported by OpenSSL > library also are taken into account. > > > 2. New configuration option "ssl_ciphers" is added to postgresql.conf. > This option allows to change list of ciphers, acceptable by backend > during SSL connection. Changing list of ciphers can be desirable to > tighten or relax security of particular installation, and allows quick > fix on configuration file level in case if vulnerability is discovered > in one of cryptoalgorithms or their OpenSSL implementation - cipher > suites which use such algorithm can be easily disabled. > > > 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine > support, it is possible to store secret key of client certificate on the > hardware token, supported by one of OpenSSL engines (Hardware Security > Module). Name of engine which supports token and engine-specific key ID > are specifyed using environment variable PGSSLKEY. > > This allows use of hardware tokens such as smartcards to identify > clients, connecting to database. > > This functionality can be used in installations with high security > requirements or in situations where several people can use same terminal > (such as cash register in shops or malls). > > If PostgreSQL is compiled with version of OpenSSL which do not support > engines or doesn't have OPENSSL_config function, related functionality > is excluded by preprocessor conditionals, based on value of > SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all > versions of OpenSSL. > [ Attachment, skipping... ] > > ---(end of broadcast)--- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian [EMAIL PROTECTED] EnterpriseDBhttp://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 6: explain analyze is your friend