diff options
| -rw-r--r-- | doc/src/sgml/config.sgml | 65 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 2 |
3 files changed, 64 insertions, 5 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 91a601559f0..cf11306f6cb 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -889,12 +889,71 @@ include 'filename' </indexterm> <listitem> <para> - Specifies a list of <acronym>SSL</> ciphers that are allowed to be + Specifies a list of <acronym>SSL</> cipher suites that are allowed to be used on secure connections. See the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page in the <application>OpenSSL</> package for the syntax of this setting - and a list of supported values. The default value is usually - reasonable, unless you have specific security requirements. + and a list of supported values. The default value is + <literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable, + unless you have specific security requirements. + </para> + + <para> + Explanation of the default value: + <variablelist> + <varlistentry> + <term><literal>HIGH</literal></term> + <listitem> + <para> + Cipher suites that use ciphers from <literal>HIGH</> group (e.g., + AES, Camellia, 3DES) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>MEDIUM</literal></term> + <listitem> + <para> + Cipher suites that use ciphers from <literal>MEDIUM</> group + (e.g., RC4, SEED) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>+3DES</literal></term> + <listitem> + <para> + The OpenSSL default order for <literal>HIGH</> is problematic + because it orders 3DES higher than AES128. This is wrong because + 3DES offers less security than AES128, and it is also much + slower. <literal>+3DES</> reorders it after all other + <literal>HIGH</> and <literal>MEDIUM</> ciphers. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>!aNULL</literal></term> + <listitem> + <para> + Disables anonymous cipher suites that do no authentication. Such + cipher suites are vulnerable to man-in-the-middle attacks and + therefore should not be used. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + + <para> + Available cipher suite details will vary across OpenSSL versions. Use + the command + <literal>openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</literal> to + see actual details for the currently installed <application>OpenSSL</> + version. Note that this list is filtered at run time based on the + server key type. </para> </listitem> </varlistentry> diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index aa5a8757fa3..b27cb89a289 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -3237,7 +3237,7 @@ static struct config_string ConfigureNamesString[] = }, &SSLCipherSuites, #ifdef USE_SSL - "DEFAULT:!LOW:!EXP:!MD5:@STRENGTH", + "HIGH:MEDIUM:+3DES:!aNULL", #else "none", #endif diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 07341e72a43..ce56059ceb2 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -79,7 +79,7 @@ #authentication_timeout = 1min # 1s-600s #ssl = off # (change requires restart) -#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers # (change requires restart) #ssl_prefer_server_ciphers = on # (change requires restart) #ssl_ecdh_curve = 'prime256v1' # (change requires restart) |