Re: fe-secure.c and SSL/TLS - Mailing list pgsql-hackers

> I could not get TLSv1.1+ with that.  But I'm working against
> Ubuntu 12.04 default OpenSSL.  I'll try with other versions too.
That looks like a Ubuntu 12.04 limitation: http://postimg.org/image/3ju4fu0y1/

I would bet the 1.0.0 version of OpenSSL is less that 1.0.0h:

$ ldd /usr/lib/x86_64-linux-gnu/libssl.so   linux-vdso.so.1 =>  (0x00007fffd9d84000)   libcrypto.so.1.0.0 =>
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f1e0691e000)   libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1e0655e000)   libdl.so.2 =>
/lib/x86_64-linux-gnu/libdl.so.2(0x00007f1e06359000)   libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
(0x00007f1e06142000)  /lib64/ld-linux-x86-64.so.2 (0x00007f1e06f6d000)
 

Gotta love back patching and broken versioning ;)

Jeff

On Sat, Nov 30, 2013 at 4:12 AM, Marko Kreen <markokr@gmail.com> wrote:
> On Sat, Nov 30, 2013 at 03:46:06AM -0500, Jeffrey Walton wrote:
>> >> I believe the "standard" way of achieving TLS1.0 and above is to use
>> >> the SSLv23_client_method() and then remove the SSL protocols with
>> >> SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3. I have to use handwaiving around
>> >> "standard" because I don't believe its documented anywhere (one of the
>> >> devs told me its the standard way to do it.).
>> >
>> > Indeed - Python ssl module seems to achieve TLSv1.1 and it uses
>> > SSLv23_method().  But still no TLSv1.2.
>> It sounds like they are using the TLSv1_1_method(). You can check it
>> with Wireshark. The Client Hello will advertise the highest version of
>> the protocol supported. See http://postimg.org/image/e4mk3nhhl/.
>
> No, they are using SSLv23_method().  And I can confirm - I did small
> C program with SSLv23_method and SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3,
> and it requests up to TLSv1.1.
>
>> If Python is not advertising TLS 1.2, then they should use the
>> SSLv23_method() with SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 and
>> SSL_OP_NO_TLSv1. That will get them TLS 1.1 and above. From ssl.h,
>> around line 605:
>>
>> #define SSL_OP_NO_SSLv2                    0x01000000L
>> #define SSL_OP_NO_SSLv3                    0x02000000L
>> #define SSL_OP_NO_TLSv1                    0x04000000L
>> #define SSL_OP_NO_TLSv1_2                0x08000000L
>> #define SSL_OP_NO_TLSv1_1                0x10000000L
>>
>> If you only want TLS 1.1 and 1.2, you can further trim your preferred
>> cipher list. TLS 1.1 did not add any ciphers, so your list might look
>> like (the TLS 1.0 ciphers can be used in TLS 1.1):
>
> I could not get TLSv1.1+ with that.  But I'm working against
> Ubuntu 12.04 default OpenSSL.  I'll try with other versions too.
>
>> Personally, I'd like to drop TLS 1.0 (even though the complaints are
>> mainly academic). But I think its still needed for interop. I've never
>> rolled a system without it enabled.
>
> Good thing in about libpq is that it knows server is OpenSSL.  Bad thing
> is that server may be old, so we need to support servers down to
> OpenSSL 0.9.7.  Which means TLSv1.0.