SSL enhancement patch ver.2

From: "Victor B(dot) Wagner" <vitus(at)cryptocom(dot)ru>
To: pgsql-patches(at)postgresql(dot)org
Subject: SSL enhancement patch ver.2
Date: 2006-09-01 09:59:48
Message-ID: 20060901095948.GA6767@cryptocom.ru
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-patches

This patch adds following functionality to PostgreSQL

1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
both backend and libpq read site-wide OpenSSL configuration file as
described in OPENSSL_config functon manual page.

This allows to use hardware crypto acceleration modules (engines) and,
in future version 0.9.9 would allow to use additional cryptoalgorithms
(i.e. national standards) which are not included in core OpenSSL.

All other configuration parameters which are supported by OpenSSL
library also are taken into account.

2. New configuration option "ssl_ciphers" is added to postgresql.conf.
This option allows to change list of ciphers, acceptable by backend
during SSL connection. Changing list of ciphers can be desirable to
tighten or relax security of particular installation, and allows quick
fix on configuration file level in case if vulnerability is discovered
in one of cryptoalgorithms or their OpenSSL implementation - cipher
suites which use such algorithm can be easily disabled.

3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine
support, it is possible to store secret key of client certificate on the
hardware token, supported by one of OpenSSL engines (Hardware Security
Module). Name of engine which supports token and engine-specific key ID
are specifyed using environment variable PGSSLKEY.

This allows use of hardware tokens such as smartcards to identify
clients, connecting to database.

This functionality can be used in installations with high security
requirements or in situations where several people can use same terminal
(such as cash register in shops or malls).

If PostgreSQL is compiled with version of OpenSSL which do not support
engines or doesn't have OPENSSL_config function, related functionality
is excluded by preprocessor conditionals, based on value of
SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all
versions of OpenSSL.

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Michael Glaesemann 2006-09-01 10:54:57 Re: [HACKERS] Interval aggregate regression failure
Previous Message Bruce Momjian 2006-09-01 02:31:10 Re: [HACKERS] Interval aggregate regression failure