diff options
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/libpq/be-secure.c | 15 | ||||
| -rw-r--r-- | src/backend/postmaster/postmaster.c | 3 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc.c | 12 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 1 |
4 files changed, 27 insertions, 4 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 8a54275d9cd..1fb648fb8ed 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.77 2007/02/07 00:52:35 petere Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.78 2007/02/16 02:59:40 momjian Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -92,6 +92,10 @@ #ifdef USE_SSL #include <openssl/ssl.h> #include <openssl/dh.h> +#if SSLEAY_VERSION_NUMBER >= 0x0907000L +#include <openssl/conf.h> +#endif + #endif #include "libpq/libpq.h" @@ -125,6 +129,10 @@ static const char *SSLerrmessage(void); #define RENEGOTIATION_LIMIT (512 * 1024 * 1024) static SSL_CTX *SSL_context = NULL; + +/* GUC variable controlling SSL cipher list*/ +extern char *SSLCipherSuites; + #endif /* ------------------------------------------------------------ */ @@ -719,6 +727,9 @@ initialize_SSL(void) if (!SSL_context) { +#if SSLEAY_VERSION_NUMBER >= 0x0907000L + OPENSSL_config(NULL); +#endif SSL_library_init(); SSL_load_error_strings(); SSL_context = SSL_CTX_new(SSLv23_method()); @@ -780,7 +791,7 @@ initialize_SSL(void) SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2); /* setup the allowed cipher list */ - if (SSL_CTX_set_cipher_list(SSL_context, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1) + if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1) elog(FATAL, "could not set the cipher list (no valid ciphers available)"); /* diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index f7411210a74..0a0a677e6ef 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -37,7 +37,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.523 2007/02/16 02:10:07 alvherre Exp $ + * $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.524 2007/02/16 02:59:41 momjian Exp $ * * NOTES * @@ -187,6 +187,7 @@ static int SendStop = false; /* still more option variables */ bool EnableSSL = false; +char *SSLCipherSuites; bool SilentMode = false; /* silent mode (-S) */ int PreAuthDelay = 0; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index e66573d7380..b5d93d6d64d 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut <peter_e@gmx.net>. * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.374 2007/02/14 03:08:44 neilc Exp $ + * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.375 2007/02/16 02:59:41 momjian Exp $ * *-------------------------------------------------------------------- */ @@ -2314,6 +2314,16 @@ static struct config_string ConfigureNamesString[] = NULL, assign_temp_tablespaces, NULL }, + { + {"ssl_ciphers", PGC_POSTMASTER, CONN_AUTH_SECURITY, + gettext_noop("Sets the list of allowed SSL ciphers."), + NULL, + GUC_SUPERUSER_ONLY + }, + &SSLCipherSuites, + "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", NULL, NULL + }, + /* End-of-list marker */ { {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 2e708b11623..ca5b2aafb11 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -74,6 +74,7 @@ #authentication_timeout = 1min # 1s-600s #ssl = off # (change requires restart) +#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # List of ciphers to use #password_encryption = on #db_user_namespace = off |