Postgres Pro
Downloads
Home   >   mailing lists

Thread: [HACKERS] libpq connection strings: control over the cipher suites?

[HACKERS] libpq connection strings: control over the cipher suites?

From
Graham Leggett
Date:
Hi all,

According to the docs at https://www.postgresql.org/docs/9.5/static/libpq-connect.html#LIBPQ-CONNSTRING there are
variousparameters that control ssl from the client side, including providing the ssl certs, keys, etc. 

Is there a parameter or mechanism for setting the required ssl cipher list from the client side?

Regards,
Graham
—

Re: [HACKERS] libpq connection strings: control over the ciphersuites?

From
Joe Conway
Date:
On 11/09/2017 03:27 AM, Graham Leggett wrote:
> Is there a parameter or mechanism for setting the required ssl cipher list from the client side?

I don't believe so. That is controlled by ssl_ciphers, which requires a
restart in order to change.

https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS

select name,setting,context from pg_settings where name like '%ssl%';          name            |         setting
 |  context 
---------------------------+--------------------------+------------ssl                       | off
|postmasterssl_ca_file               |                          | postmasterssl_cert_file             | server.crt
        | postmasterssl_ciphers               | HIGH:MEDIUM:+3DES:!aNULL | postmasterssl_crl_file              |
                 | postmasterssl_ecdh_curve            | prime256v1               | postmasterssl_key_file
|server.key               | postmasterssl_prefer_server_ciphers | on                       | postmaster 
(8 rows)

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [HACKERS] libpq connection strings: control over the cipher suites?

From
Michael Paquier
Date:
On Fri, Nov 10, 2017 at 2:53 AM, Joe Conway <mail@joeconway.com> wrote:
> On 11/09/2017 03:27 AM, Graham Leggett wrote:
>> Is there a parameter or mechanism for setting the required ssl cipher list from the client side?
>
> I don't believe so. That is controlled by ssl_ciphers, which requires a
> restart in order to change.
>
> https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS

Since commit de41869 present in v10, SSL parameters can be reloaded.
On libpq there is only an API to have a look at what are the ciphers
set by the server via PQsslAttribute().
-- 
Michael


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] libpq connection strings: control over the ciphersuites?

From
Joe Conway
Date:
On 11/09/2017 03:17 PM, Michael Paquier wrote:
> On Fri, Nov 10, 2017 at 2:53 AM, Joe Conway <mail@joeconway.com> wrote:
>> On 11/09/2017 03:27 AM, Graham Leggett wrote:
>>> Is there a parameter or mechanism for setting the required ssl cipher list from the client side?
>>
>> I don't believe so. That is controlled by ssl_ciphers, which requires a
>> restart in order to change.
>>
>> https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS
>
> Since commit de41869 present in v10, SSL parameters can be reloaded.

Oh, cool, I must have missed that -- thanks!

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development