diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 39b1a66236..cd21863897 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -289,7 +289,7 @@ be_tls_init(bool isServerStart) goto error; /* set up the allowed cipher list */ - if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1) + if (SSL_CTX_set_cipher_list(context, SSLCipherLists) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), @@ -297,6 +297,15 @@ be_tls_init(bool isServerStart) goto error; } + /* set up the allowed cipher suites */ + if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1) + { + ereport(isServerStart ? FATAL : LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("could not set the cipher suites (no valid ciphers available)"))); + goto error; + } + /* Let server choose order */ if (SSLPreferServerCiphers) SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); @@ -1397,35 +1406,37 @@ initialize_dh(SSL_CTX *context, bool isServerStart) * Set ECDH parameters for generating ephemeral Elliptic Curve DH * keys. This is much simpler than the DH parameters, as we just * need to provide the name of the curve to OpenSSL. + * From Postgres 17 on, we support to provide a string list which + * is a colon separated list of curve names. */ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart) { #ifndef OPENSSL_NO_ECDH - EC_KEY *ecdh; - int nid; + char *curve_list = strdup(SSLECDHCurve); + char *saveptr; + char *token = strtok_r(curve_list, ":", &saveptr); + int nid; - nid = OBJ_sn2nid(SSLECDHCurve); - if (!nid) + while (token != NULL) { - ereport(isServerStart ? FATAL : LOG, - (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("ECDH: unrecognized curve name: %s", SSLECDHCurve))); + nid = OBJ_sn2nid(token); + if (!nid) + {ereport(isServerStart ? FATAL : LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("ECDH: unrecognized curve name: %s", token))); return false; + } + token = strtok_r(NULL, ":", &saveptr); } - ecdh = EC_KEY_new_by_curve_name(nid); - if (!ecdh) + if(SSL_CTX_set1_curves_list(context, SSLECDHCurve) !=1) { ereport(isServerStart ? FATAL : LOG, - (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("ECDH: could not create key"))); + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("ECDH: failed to set curve names"))); return false; } - - SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); - SSL_CTX_set_tmp_ecdh(context, ecdh); - EC_KEY_free(ecdh); #endif return true; diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 1663f36b6b..aba0498d39 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -48,6 +48,7 @@ bool ssl_loaded_verify_locations = false; /* GUC variable controlling SSL cipher list */ char *SSLCipherSuites = NULL; +char *SSLCipherLists = NULL; /* GUC variable for default ECHD curve. */ char *SSLECDHCurve; diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index 46c258be28..37c500042d 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -4579,7 +4579,7 @@ struct config_string ConfigureNamesString[] = NULL, GUC_SUPERUSER_ONLY }, - &SSLCipherSuites, + &SSLCipherLists, #ifdef USE_OPENSSL "HIGH:MEDIUM:+3DES:!aNULL", #else @@ -4588,6 +4588,21 @@ struct config_string ConfigureNamesString[] = NULL, NULL, NULL }, + { + {"ssl_cipher_suites", PGC_SIGHUP, CONN_AUTH_SSL, + gettext_noop("Sets the list of allowed SSL cipher suites."), + NULL, + GUC_SUPERUSER_ONLY + }, + &SSLCipherSuites, +#ifdef USE_OPENSSL + "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256", +#else + "none", +#endif + NULL, NULL, NULL + }, + { {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Sets the curve to use for ECDH."), diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h index 83e338f604..055fce4fe5 100644 --- a/src/include/libpq/libpq.h +++ b/src/include/libpq/libpq.h @@ -118,6 +118,7 @@ extern ssize_t secure_open_gssapi(Port *port); /* GUCs */ extern PGDLLIMPORT char *SSLCipherSuites; +extern PGDLLIMPORT char *SSLCipherLists; extern PGDLLIMPORT char *SSLECDHCurve; extern PGDLLIMPORT bool SSLPreferServerCiphers; extern PGDLLIMPORT int ssl_min_protocol_version;