postgresql/src/backend/libpq
Daniel Gustafsson 44e27f0a6d Support disallowing SSL renegotiation when using LibreSSL
LibreSSL doesn't support the SSL_OP_NO_RENEGOTIATION macro which is
used by OpenSSL, instead it has invented a similar one for client-
side renegotiation: SSL_OP_NO_CLIENT_RENEGOTIATION. This has been
supported since LibreSSL 2.5.1 which by now can be considered well
below the minimum requirement.

Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Discussion: https://postgr.es/m/eac70d46-e61c-4d71-a1e1-78e2bfa19485@eisentraut.org
2024-04-24 10:54:42 +02:00
..
Makefile Refactor SASL code with a generic interface for its mechanisms 2021-07-07 10:55:15 +09:00
README.SSL Move EDH support to common files 2018-01-23 07:11:38 -05:00
auth-sasl.c Update copyright for 2024 2024-01-03 20:49:05 -05:00
auth-scram.c Remove unused #include's from backend .c files 2024-03-04 12:02:20 +01:00
auth.c Remove unused #include's from backend .c files 2024-03-04 12:02:20 +01:00
be-fsstubs.c Update copyright for 2024 2024-01-03 20:49:05 -05:00
be-gssapi-common.c Update copyright for 2024 2024-01-03 20:49:05 -05:00
be-secure-common.c Update copyright for 2024 2024-01-03 20:49:05 -05:00
be-secure-gssapi.c Update copyright for 2024 2024-01-03 20:49:05 -05:00
be-secure-openssl.c Support disallowing SSL renegotiation when using LibreSSL 2024-04-24 10:54:42 +02:00
be-secure.c Support TLS handshake directly without SSLRequest negotiation 2024-04-08 04:24:49 +03:00
crypt.c Remove unused #include's from backend .c files 2024-03-04 12:02:20 +01:00
hba.c Remove unused #include's from backend .c files 2024-03-04 12:02:20 +01:00
ifaddr.c Update copyright for 2024 2024-01-03 20:49:05 -05:00
meson.build Update copyright for 2024 2024-01-03 20:49:05 -05:00
pg_hba.conf.sample Add description for new patterns supported in HBA and ident sample files 2023-02-16 07:38:52 +09:00
pg_ident.conf.sample Add description for new patterns supported in HBA and ident sample files 2023-02-16 07:38:52 +09:00
pqcomm.c Support TLS handshake directly without SSLRequest negotiation 2024-04-08 04:24:49 +03:00
pqformat.c Remove unused 'countincludesself' argument to pq_sendcountedtext() 2024-03-04 12:56:05 +02:00
pqmq.c Replace BackendIds with 0-based ProcNumbers 2024-03-03 19:38:22 +02:00
pqsignal.c Update copyright for 2024 2024-01-03 20:49:05 -05:00

README.SSL

src/backend/libpq/README.SSL

SSL
===

>From the servers perspective:


  Receives StartupPacket
           |
           |
 (Is SSL_NEGOTIATE_CODE?) -----------  Normal startup
           |                  No
           |
           | Yes
           |
           |
 (Server compiled with USE_SSL?) ------- Send 'N'
           |                       No        |
           |                                 |
           | Yes                         Normal startup
           |
           |
        Send 'S'
           |
           |
      Establish SSL
           |
           |
      Normal startup





>From the clients perspective (v6.6 client _with_ SSL):


      Connect
         |
         |
  Send packet with SSL_NEGOTIATE_CODE
         |
         |
  Receive single char  ------- 'S' -------- Establish SSL
         |                                       |
         | '<else>'                              |
         |                                  Normal startup
         |
         |
   Is it 'E' for error  ------------------- Retry connection
         |                  Yes             without SSL
         | No
         |
   Is it 'N' for normal ------------------- Normal startup
         |                  Yes
         |
   Fail with unknown

---------------------------------------------------------------------------

Ephemeral DH
============

Since the server static private key ($DataDir/server.key) will
normally be stored unencrypted so that the database backend can
restart automatically, it is important that we select an algorithm
that continues to provide confidentiality even if the attacker has the
server's private key.  Ephemeral DH (EDH) keys provide this and more
(Perfect Forward Secrecy aka PFS).

N.B., the static private key should still be protected to the largest
extent possible, to minimize the risk of impersonations.

Another benefit of EDH is that it allows the backend and clients to
use DSA keys.  DSA keys can only provide digital signatures, not
encryption, and are often acceptable in jurisdictions where RSA keys
are unacceptable.

The downside to EDH is that it makes it impossible to use ssldump(1)
if there's a problem establishing an SSL session.  In this case you'll
need to temporarily disable EDH (see initialize_dh()).