Re: Force disable of SSL renegociation in the server - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: Force disable of SSL renegociation in the server
Date
Msg-id BA825D91-6269-4B49-9529-2829F185EEE4@yesql.se
Whole thread Raw
In response to Re: Force disable of SSL renegociation in the server  (Michael Paquier <michael@paquier.xyz>)
Responses Re: Force disable of SSL renegociation in the server
List pgsql-hackers
> On 24 May 2021, at 03:29, Michael Paquier <michael@paquier.xyz> wrote:

> I got to look at that in details, and the attached would be able to do
> the job with OpenSSL 1.0.2 and older versions.  The main idea is to
> set up SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS once the SSL object is
> created when opening the TLS connection to business.  I have tested
> that down to 0.9.8 on all supported branches with the protocols we
> support (heads up to ssl_min_protocol_version here), and that looks to
> work as I'd expect.
>
> It is not a good idea to rely on OPENSSL_VERSION_NUMBER for such
> version checks as I am doing here, as we've been bitten with
> compatibility with LibreSSL in the past.  So this had better use a
> check based on HAVE_OPENSSL_INIT_SSL to make sure that 1.1.0 is the
> version of OpenSSL used.

I agree that a capability based check is better than using the version numbers
as their is a collision risk between distributions (and even within OpenSSL as
NetBSD for example invented their own version etc).

> Anyway, I really don't like using this undocumented option, and there is
> nothing that can be done with OpenSSL < 1.1.0h in the 1.1.0 series as the s3
> part of the *SSL object gets hidden to the application, so it is not possible
> to set SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS there.


1.1.0d killed what was left of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS while keeping
it defined, so there is also very little value in even attempting it there.

+1 on the patch, LGTM.

--
Daniel Gustafsson        https://vmware.com/




pgsql-hackers by date:

Previous
From: Noah Misch
Date:
Subject: Re: ALTER TABLE .. DETACH PARTITION CONCURRENTLY
Next
From: Dilip Kumar
Date:
Subject: Re: Move pg_attribute.attcompression to earlier in struct for reduced size?