diff -crN ../pgsql-20060830/doc/src/sgml/config.sgml ./doc/src/sgml/config.sgml
*** ../pgsql-20060830/doc/src/sgml/config.sgml 2006-08-30 16:01:12.000000000 +0400
--- ./doc/src/sgml/config.sgml 2006-08-30 16:04:11.000000000 +0400
***************
*** 555,561 ****
!
password_encryption (boolean)
--- 555,596 ----
!
! ssl_ciphers> (string)
!
! ssl_ciphers configuration parameter
!
!
!
! Specifies list of SSL ciphers, which can be used to
! establish secure connection. See manual page for
! openssl ciphers
! command to find list of allowed values and their semantics.
!
!
!
!
! ssl_engine (string)
!
! ssl_engine configuration parameter
!
!
!
! Specifies name of OpenSSL engine (loadable module),
! which should be used to perform cryptographic operation during
! SSL connections. Typically engines are used to
! support hardware cryptographic accelerators. See
! OpenSSL documentation for more information about
! engines.
!
!
! Value of this option is engine identifier. Deafault value is
! NULL, which means that default OpenSSL
! implementations of cryptoalgorithms should be used.
!
!
!
!
password_encryption (boolean)
diff -crN ../pgsql-20060830/doc/src/sgml/runtime.sgml ./doc/src/sgml/runtime.sgml
*** ../pgsql-20060830/doc/src/sgml/runtime.sgml 2006-08-30 16:01:12.000000000 +0400
--- ./doc/src/sgml/runtime.sgml 2006-08-30 16:04:11.000000000 +0400
***************
*** 1516,1521 ****
--- 1516,1539 ----
+ OpenSSL supports wide range of ciphers
+ and authentication algorithms, which strength varies significantly.
+ You can restrict list of ciphers which can be used to connect to
+ your server using parameter.
+
+
+
+ OpenSSL supports loadable module, called
+ engines, which can provide alternative (typically hardware
+ accelerated) implementation of cryptographic algorithms. Starting
+ with version 0.9.9 it also supports adding of new (for instance
+ Russian or Japanese national standards) cryptoalgorithms via engine.
+
+
+ PostgreSQL allows to specify engine to use via
+ configuration file parameter.
+
+
For details on how to create your server private key and certificate,
refer to the OpenSSL documentation. A
self-signed certificate can be used for testing, but a
diff -crN ../pgsql-20060830/src/backend/libpq/be-secure.c ./src/backend/libpq/be-secure.c
*** ../pgsql-20060830/src/backend/libpq/be-secure.c 2006-08-30 16:01:28.000000000 +0400
--- ./src/backend/libpq/be-secure.c 2006-08-30 16:04:11.000000000 +0400
***************
*** 92,97 ****
--- 92,98 ----
#ifdef USE_SSL
#include
#include
+ #include
#endif
#include "libpq/libpq.h"
***************
*** 125,130 ****
--- 126,136 ----
#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
static SSL_CTX *SSL_context = NULL;
+
+ /* GUC variables contrilling SSL connection*/
+ extern char *SSLEngine;
+ extern char *SSLCipherSuites;
+
#endif
/* ------------------------------------------------------------ */
***************
*** 714,724 ****
--- 720,755 ----
initialize_SSL(void)
{
struct stat buf;
+ static int loaded_engines=0;
if (!SSL_context)
{
SSL_library_init();
SSL_load_error_strings();
+ if (SSLEngine!=NULL)
+ {
+ ENGINE *e=NULL;
+ if (!loaded_engines)
+ {
+ ENGINE_load_builtin_engines();
+ loaded_engines=1;
+ }
+ if ((e = ENGINE_by_id(SSLEngine))==NULL)
+ {
+ ereport(FATAL,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("failed to load engine %s: %s",
+ SSLEngine,ERR_error_string(ERR_get_error(),NULL))));
+ }
+ if (!ENGINE_set_default(e,ENGINE_METHOD_ALL))
+ {
+ ereport(FATAL,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("failed to enable engine %s: %s",
+ SSLEngine,ERR_error_string(ERR_get_error(),NULL))));
+ }
+ ENGINE_free(e);
+ }
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context)
ereport(FATAL,
***************
*** 778,784 ****
SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
/* setup the allowed cipher list */
! if (SSL_CTX_set_cipher_list(SSL_context, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
elog(FATAL, "could not set the cipher list (no valid ciphers available)");
/*
--- 809,815 ----
SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
/* setup the allowed cipher list */
! if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1)
elog(FATAL, "could not set the cipher list (no valid ciphers available)");
/*
diff -crN ../pgsql-20060830/src/backend/postmaster/postmaster.c ./src/backend/postmaster/postmaster.c
*** ../pgsql-20060830/src/backend/postmaster/postmaster.c 2006-08-30 16:01:32.000000000 +0400
--- ./src/backend/postmaster/postmaster.c 2006-08-30 16:04:11.000000000 +0400
***************
*** 186,191 ****
--- 186,193 ----
/* still more option variables */
bool EnableSSL = false;
+ char * SSLCipherSuites;
+ char * SSLEngine;
bool SilentMode = false; /* silent mode (-S) */
int PreAuthDelay = 0;
diff -crN ../pgsql-20060830/src/backend/utils/misc/guc.c ./src/backend/utils/misc/guc.c
*** ../pgsql-20060830/src/backend/utils/misc/guc.c 2006-08-30 16:01:36.000000000 +0400
--- ./src/backend/utils/misc/guc.c 2006-08-30 16:04:11.000000000 +0400
***************
*** 2233,2239 ****
&external_pid_file,
NULL, assign_canonical_path, NULL
},
!
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
--- 2233,2257 ----
&external_pid_file,
NULL, assign_canonical_path, NULL
},
! {
! {"ssl_ciphers", PGC_POSTMASTER, CONN_AUTH_SECURITY,
! gettext_noop("List of allowed SSL ciphersuites"),
! NULL,
! GUC_SUPERUSER_ONLY
! },
! &SSLCipherSuites,
! "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",NULL,NULL
! },
! {
! {"ssl_engine", PGC_POSTMASTER, CONN_AUTH_SECURITY,
! gettext_noop("Loadable cryptographic engine to use"),
! NULL,
! GUC_SUPERUSER_ONLY
! },
! &SSLEngine,
! NULL,NULL,NULL
! },
!
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
diff -crN ../pgsql-20060830/src/backend/utils/misc/postgresql.conf.sample ./src/backend/utils/misc/postgresql.conf.sample
*** ../pgsql-20060830/src/backend/utils/misc/postgresql.conf.sample 2006-08-30 16:01:36.000000000 +0400
--- ./src/backend/utils/misc/postgresql.conf.sample 2006-08-30 16:11:40.000000000 +0400
***************
*** 71,76 ****
--- 71,78 ----
#authentication_timeout = 60 # 1-600, in seconds
#ssl = off # (change requires restart)
+ #ssl_engine = 'ncipher' # Name of the OpenSSL engine to use
+ #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # List of ciphers to use
#password_encryption = on
#db_user_namespace = off
diff -crN ../pgsql-20060830/src/include/postmaster/postmaster.h ./src/include/postmaster/postmaster.h
*** ../pgsql-20060830/src/include/postmaster/postmaster.h 2006-08-30 16:01:42.000000000 +0400
--- ./src/include/postmaster/postmaster.h 2006-08-30 16:04:11.000000000 +0400
***************
*** 15,20 ****
--- 15,22 ----
/* GUC options */
extern bool EnableSSL;
+ extern char *SSLCipherSuites;
+ extern char *SSLEngine;
extern bool SilentMode;
extern int ReservedBackends;
extern int PostPortNumber;