From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
---|---|
To: | Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de> |
Subject: | Re: Force disable of SSL renegociation in the server |
Date: | 2021-05-24 09:09:38 |
Message-ID: | BA825D91-6269-4B49-9529-2829F185EEE4@yesql.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On 24 May 2021, at 03:29, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> I got to look at that in details, and the attached would be able to do
> the job with OpenSSL 1.0.2 and older versions. The main idea is to
> set up SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS once the SSL object is
> created when opening the TLS connection to business. I have tested
> that down to 0.9.8 on all supported branches with the protocols we
> support (heads up to ssl_min_protocol_version here), and that looks to
> work as I'd expect.
>
> It is not a good idea to rely on OPENSSL_VERSION_NUMBER for such
> version checks as I am doing here, as we've been bitten with
> compatibility with LibreSSL in the past. So this had better use a
> check based on HAVE_OPENSSL_INIT_SSL to make sure that 1.1.0 is the
> version of OpenSSL used.
I agree that a capability based check is better than using the version numbers
as their is a collision risk between distributions (and even within OpenSSL as
NetBSD for example invented their own version etc).
> Anyway, I really don't like using this undocumented option, and there is
> nothing that can be done with OpenSSL < 1.1.0h in the 1.1.0 series as the s3
> part of the *SSL object gets hidden to the application, so it is not possible
> to set SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS there.
1.1.0d killed what was left of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS while keeping
it defined, so there is also very little value in even attempting it there.
+1 on the patch, LGTM.
--
Daniel Gustafsson https://vmware.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Dilip Kumar | 2021-05-24 09:16:11 | Re: Move pg_attribute.attcompression to earlier in struct for reduced size? |
Previous Message | Noah Misch | 2021-05-24 09:07:12 | Re: ALTER TABLE .. DETACH PARTITION CONCURRENTLY |