Re: Force disable of SSL renegociation in the server

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Michael Paquier <michael(at)paquier(dot)xyz>
Cc: Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>
Subject: Re: Force disable of SSL renegociation in the server
Date: 2021-05-20 12:15:52
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

> On 20 May 2021, at 13:00, Michael Paquier <michael(at)paquier(dot)xyz> wrote:

> - SSL_OP_NO_RENEGOTIATION controls that. It is present in OpenSSL >=
> 1.1.1 and has been backported in 1.1.0h (it is not present in older
> versions of 1.1.0).

For OpenSSL 1.1.0 versions < 1.1.0h it will be silently accepted without
actually doing anything, so we might want to combine it with the below.

> - In 1.0.2 and older versions, OpenSSL has an undocumented flag called
> SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS, able to do the same as far as I
> understand.

Well, it's documented in the changelog that it's undocumented (sigh..) along
with a note stating that it works like SSL_OP_NO_RENEGOTIATION. Skimming the
code it seems to ring true. For older OpenSSL versions there's also
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which controls renegotiation for an
older OpenSSL reneg bug. That applies to 0.9.8 versions which we don't
support, but a malicious user can craft whatever they feel like so maybe we
should ensure it's off as well?

> Could there be a point in backpatching that, in light of what we have done in
> 48d23c72 in the past, though?

I think there is merit to that idea, especially given the precedent.

> Thoughts?

+ /* disallow SSL renegociation, option available since 1.1.0h */

+1 on disabling renegotiation, but I think it's worth considering using
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS as well. One could also argue that extending
the comment with a note that it only applies to TLSv1.2 and lower could be
helpful to readers who aren't familiar with TLS protocol versions. TLSv1.3 did
away with renegotiation.

Daniel Gustafsson

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Langote 2021-05-20 12:22:52 Re: Skip partition tuple routing with constant partition key
Previous Message Ashutosh Bapat 2021-05-20 12:13:32 Diagnostic comment in LogicalIncreaseXminForSlot