[pgpool-hackers: 3275] Re: ssl_ciphers
Muhammad Usama
m.usama at gmail.com
Tue Mar 26 16:43:55 JST 2019
> On 26-Mar-2019, at 12:25 PM, Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>
> Usama,
>
>> Hi Ishii-San
>>
>>> On Tue, Mar 26, 2019 at 9:50 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>>>
>>> Hi Pgpool Developers,
>>>
>>> Recently I got a request from a customer to add ssl_ciphers
>>> functionality of PostgreSQL. This allows to limit accepting SSL
>>> ciphers. The main motivation of this is to defend Pgpool-II from weak
>>> ciphers attack (known as Sweet32).
>>> https://access.redhat.com/security/cve/cve-2016-2183
>>>
>>> I don't think this is a vulnerability of Pgpool-II itself. In fact
>>> other OSS projects except OpenSSL have not assigned CVE because of
>>> this.
>>>
>>> However, I think implementing ssl_ciphers is a good thing for
>>> Pgpool-II because we could say "we are safer than before." Also some
>>> of other OSS projects have done something for this.
>>>
>>> So I decided to implement ssl_ciphers and back patch to all supported
>>> branches. Usually we do not add new configuration parameters to minor
>>> releases but this time there's no other way to implement the feature,
>>> so I have to add a new parameter ssl_ciphers.
>>>
>>
>> I agree this is the right way to go, to make an exception in this case and
>> back-port
>> the patch to all supported branches.
>>
>>>
>>> The main changes to the code are fairly small (in src/utils/pool_ssl.c):
>>>
>>> + /* set up the allowed cipher list */
>>> + error = SSL_CTX_set_cipher_list(cp->ssl_ctx,
>>> pool_config->ssl_ciphers);
>>> SSL_RETURN_ERROR_IF((error != 1), "Setting allowed cipher list");
>>> +
>>> + /* Let server choose order */
>>> + SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
>>> +
>>>
>>> SSL_CTX_set_cipher_list() limits the cipher
>>> list. SSL_CTX_set_options() is needed to reject client's request for
>>> ciphers not in the cipher list.
>>>
>>> Attached is the patch for master branch.
>>>
>>
>> The patch looks fine, One small comment is, do you think we should make
>> the SSL_CTX_set_options(cp->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); call
>> conditional with some new configuration parameter (similar to PostgreSQL's
>> ssl_prefer_server_ciphers config)
>> and set the default value of that parameter to "off", so that minor version
>> upgrades
>> keep the consistent behaviour, and users gets the option to use server or
>> client cipher preference.
>
> Yeah, since we are going make releases for stable branches, keeping
> existent behavior is important. I agree with you.
>
> Do you mind if I ask you to implement ssl_prefer_server_ciphers? If
> ok, I would like to push the patch as proposed (without
> ssl_prefer_server_ciphers), then you implement
> ssl_prefer_server_ciphers part on top of it.
Sure I will do that today after you push this path
Thanks
Best Regards
Muhammad Usama
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
More information about the pgpool-hackers
mailing list