diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:32 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:32 +0200 |
| commit | 45188c2ea2391b7b24039e1632c726e2fc6b8008 (patch) | |
| tree | e85052c98e0775dd4932789e0fe603909a36bccf /src/backend/libpq | |
| parent | 3d1ef3a15c3eb68dae44b94e89d04c422b26fc16 (diff) | |
| download | postgresql-45188c2ea2391b7b24039e1632c726e2fc6b8008.tar.gz postgresql-45188c2ea2391b7b24039e1632c726e2fc6b8008.zip | |
Support configuring TLSv1.3 cipher suites
The ssl_ciphers GUC can only set cipher suites for TLSv1.2, and lower,
connections. For TLSv1.3 connections a different OpenSSL API must be
used. This adds a new GUC, ssl_tls13_ciphers, which can be used to
configure a colon separated list of cipher suites to support when
performing a TLSv1.3 handshake.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang <ericazhangy2021@qq.com>
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Andres Freund <andres@anarazel.de>
Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
Diffstat (limited to 'src/backend/libpq')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 22 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure.c | 1 |
2 files changed, 20 insertions, 3 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index c8cd81d8537..469be36e764 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -288,15 +288,31 @@ be_tls_init(bool isServerStart) if (!initialize_ecdh(context, isServerStart)) goto error; - /* set up the allowed cipher list */ - if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1) + /* set up the allowed cipher list for TLSv1.2 and below */ + if (SSL_CTX_set_cipher_list(context, SSLCipherList) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("could not set the cipher list (no valid ciphers available)"))); + errmsg("could not set the TLSv1.2 cipher list (no valid ciphers available)"))); goto error; } + /* + * Set up the allowed cipher suites for TLSv1.3. If the GUC is an empty + * string we leave the allowed suites to be the OpenSSL default value. + */ + if (SSLCipherSuites[0]) + { + /* set up the allowed cipher suites */ + if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1) + { + ereport(isServerStart ? FATAL : LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)"))); + goto error; + } + } + /* Let server choose order */ if (SSLPreferServerCiphers) SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index ef20ea755b7..2139f81f241 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -49,6 +49,7 @@ bool ssl_loaded_verify_locations = false; /* GUC variable controlling SSL cipher list */ char *SSLCipherSuites = NULL; +char *SSLCipherList = NULL; /* GUC variable for default ECHD curve. */ char *SSLECDHCurve; |