View Issue Details

IDProjectCategoryView StatusLast Update
0000608Pgpool-IIBugpublic2020-05-21 11:30
ReporterdenhoAssigned ToMuhammad Usama 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version4.1.0 
Target Version4.1.2Fixed in Version4.1.2 
Summary0000608: pgpool ssl front end accept all ciphers. not working as expected.
DescriptionFirst of all i want to say big thanks to pgpool crew for all their hard work!

Here is an issue. I configured pgpool to accept SSL connections on the front end. However when I am running sslyze

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 myhostname:5446 --starttls=postgres
The report shows that pgpool accepts TLS 1.0, TLS 1.1 and TLS1.2. I only need to have TLS1.2 supported others pose security risk.

If I run the same command against directly postgres i only get TLS1.2 support.

In my SSL section for pgpool i have.

# - SSL Connections -

ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
ssl_key = '/pg-data/pg_dv/data/server.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/pg-data/pg_dv/data/server.crt'
                                   # Path to the SSL public certificate file
                                   # (change requires restart)
#ssl_ca_cert = ''
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = ''
                                   # Directory containing CA root certificate(s)
                                   # (change requires restart)

ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = on
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)

For postgresql.conf I exact same ciphers
ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'

I tested this behavior with pgpool 4.1.1 and pgpool 4.0.4

I am attaching pgpool debug info when sslyze was running as well as reports from sslyze for both pgpool node and a postgres node.

Please help out with this!

Thank you!



Steps To ReproduceEnable SSL in pgpool and run sslyze.

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 myhostname:5446 --starttls=postgres


ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
ssl_key = '/pg-data/pg_dv/data/server.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/pg-data/pg_dv/data/server.crt'
                                   # Path to the SSL public certificate file
                                   # (change requires restart)
#ssl_ca_cert = ''
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = ''
                                   # Directory containing CA root certificate(s)
                                   # (change requires restart)

ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = on
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)
Tagsciphers, ssl, sslyze

Activities

denho

2020-04-30 05:50

reporter  

pgpool.log_ssl (678,163 bytes)
sslyze_report.log (7,846 bytes)

denho

2020-05-05 22:35

reporter   ~0003358

Please let me know if you need any help in reproducing the issue or anything else.

Thanks!

Muhammad Usama

2020-05-06 05:02

developer   ~0003359

Hi denho,

Thanks for identifying the bug. I have pushed the fix in all affected branches

https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commitdiff;h=56cfadecb0ab421e66e412b8895f9656bfafe42d

Kind regards
Muhammad Usama

Issue History

Date Modified Username Field Change
2020-04-30 05:50 denho New Issue
2020-04-30 05:50 denho File Added: sslyze_report.log
2020-04-30 05:50 denho File Added: pgpool.log_ssl
2020-04-30 05:50 denho Tag Attached: ciphers
2020-04-30 05:50 denho Tag Attached: ssl
2020-04-30 05:50 denho Tag Attached: sslyze
2020-05-01 17:29 t-ishii Assigned To => Muhammad Usama
2020-05-01 17:29 t-ishii Status new => assigned
2020-05-01 17:29 t-ishii Description Updated View Revisions
2020-05-01 17:29 t-ishii Steps to Reproduce Updated View Revisions
2020-05-05 22:35 denho Note Added: 0003358
2020-05-06 05:02 Muhammad Usama Status assigned => resolved
2020-05-06 05:02 Muhammad Usama Resolution open => fixed
2020-05-06 05:02 Muhammad Usama Note Added: 0003359
2020-05-21 11:21 administrator Fixed in Version => 4.1.2
2020-05-21 11:21 administrator Target Version => 4.1.2
2020-05-21 11:30 administrator Status resolved => closed