rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/backend/libpq
History
Michael Paquier 01e6f1a842 Disallow SSL renegotiation 
SSL renegotiation is already disabled as of 48d23c72, however this does
not prevent the server to comply with a client willing to use
renegotiation.  In the last couple of years, renegotiation had its set
of security issues and flaws (like the recent CVE-2021-3449), and it
could be possible to crash the backend with a client attempting
renegotiation.

This commit takes one extra step by disabling renegotiation in the
backend in the same way as SSL compression (f9264d15) or tickets
(97d3a0b0).  OpenSSL 1.1.0h has added an option named
SSL_OP_NO_RENEGOTIATION able to achieve that.  In older versions
there is an option called SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS that
was undocumented, and could be set within the SSL object created when
the TLS connection opens, but I have decided not to use it, as it feels
trickier to rely on, and it is not official.  Note that this option is
not usable in OpenSSL < 1.1.0h as the internal contents of the *SSL
object are hidden to applications.

SSL renegotiation concerns protocols up to TLSv1.2.

Per original report from Robert Haas, with a patch based on a suggestion
by Andres Freund.

Author: Michael Paquier
Reviewed-by: Daniel Gustafsson
Discussion: https://postgr.es/m/YKZBXx7RhU74FlTE@paquier.xyz
Backpatch-through: 9.6
 		2021-05-25 10:10:09 +09:00
..
Makefile Introduce --with-ssl={openssl} as a configure option 2021-02-01 19:19:44 +09:00
README.SSL Move EDH support to common files 2018-01-23 07:11:38 -05:00
auth-scram.c Refactor HMAC implementations 2021-04-03 17:30:49 +09:00
auth.c Initial pgindent and pgperltidy run for v14. 2021-05-12 13:14:10 -04:00
be-fsstubs.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
be-gssapi-common.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
be-secure-common.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
be-secure-gssapi.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
be-secure-openssl.c Disallow SSL renegotiation 2021-05-25 10:10:09 +09:00
be-secure.c Allow matching the DN of a client certificate for authentication 2021-03-29 15:49:39 -04:00
crypt.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
hba.c Refactor hba_authname 2021-04-07 14:24:47 +02:00
ifaddr.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
pg_hba.conf.sample pg_hba.conf.sample: Reword connection type section 2021-04-29 07:00:20 +02:00
pg_ident.conf.sample Reformat the comments in pg_hba.conf and pg_ident.conf 2010-01-26 06:58:39 +00:00
pqcomm.c Initial pgindent and pgperltidy run for v14. 2021-05-12 13:14:10 -04:00
pqformat.c Update copyright for 2021 2021-01-02 13:06:25 -05:00
pqmq.c Remove server and libpq support for old FE/BE protocol version 2. 2021-03-04 10:45:55 +02:00
pqsignal.c Use signalfd(2) for epoll latches. 2021-03-01 14:12:02 +13:00

README.SSL 

src/backend/libpq/README.SSL

SSL
===

>From the servers perspective:


  Receives StartupPacket
           |
           |
 (Is SSL_NEGOTIATE_CODE?) -----------  Normal startup
           |                  No
           |
           | Yes
           |
           |
 (Server compiled with USE_SSL?) ------- Send 'N'
           |                       No        |
           |                                 |
           | Yes                         Normal startup
           |
           |
        Send 'S'
           |
           |
      Establish SSL
           |
           |
      Normal startup





>From the clients perspective (v6.6 client _with_ SSL):


      Connect
         |
         |
  Send packet with SSL_NEGOTIATE_CODE
         |
         |
  Receive single char  ------- 'S' -------- Establish SSL
         |                                       |
         | '<else>'                              |
         |                                  Normal startup
         |
         |
   Is it 'E' for error  ------------------- Retry connection
         |                  Yes             without SSL
         | No
         |
   Is it 'N' for normal ------------------- Normal startup
         |                  Yes
         |
   Fail with unknown

---------------------------------------------------------------------------

Ephemeral DH
============

Since the server static private key ($DataDir/server.key) will
normally be stored unencrypted so that the database backend can
restart automatically, it is important that we select an algorithm
that continues to provide confidentiality even if the attacker has the
server's private key.  Ephemeral DH (EDH) keys provide this and more
(Perfect Forward Secrecy aka PFS).

N.B., the static private key should still be protected to the largest
extent possible, to minimize the risk of impersonations.

Another benefit of EDH is that it allows the backend and clients to
use DSA keys.  DSA keys can only provide digital signatures, not
encryption, and are often acceptable in jurisdictions where RSA keys
are unacceptable.

The downside to EDH is that it makes it impossible to use ssldump(1)
if there's a problem establishing an SSL session.  In this case you'll
need to temporarily disable EDH (see initialize_dh()).