SEO

This patch adds following functionality to PostgreSQL

1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
both backend and libpq read site-wide OpenSSL configuration file as
described in OPENSSL_config functon manual page.

This allows to use hardware crypto acceleration modules (engines) and,
in future version 0.9.9 would allow to use additional cryptoalgorithms
(i.e. national standards) which are not included in core OpenSSL.

All other configuration parameters which are supported by OpenSSL
library also are taken into account.


2. New configuration option "ssl_ciphers" is added to postgresql.conf.
This option allows to change list of ciphers, acceptable by backend
during SSL connection. Changing list of ciphers can be desirable to
tighten or relax security of particular installation, and allows quick
fix on configuration file level in case if vulnerability is discovered
in one of cryptoalgorithms or their OpenSSL implementation - cipher
suites which use such algorithm can be easily disabled.


3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine
support, it is possible to store secret key of client certificate on the
hardware token, supported by one of OpenSSL engines (Hardware Security
Module). Name of engine which supports token and engine-specific key ID
are specifyed using environment variable PGSSLKEY.

This allows use of hardware tokens such as smartcards to identify
clients, connecting to database.

This functionality can be used in installations with high security
requirements or in situations where several people can use same terminal
(such as cash register in shops or malls).

If PostgreSQL is compiled with version of OpenSSL which do not support
engines or doesn't have OPENSSL_config function, related functionality
is excluded by preprocessor conditionals, based on value of
SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all
versions of OpenSSL.



---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

This has been saved for the 8.3 release:

http://momjian.postgresql.org/cgi-bin/pgpatches_hold

---------------------------------------------------------------------------

Victor B. Wagner wrote:
> This patch adds following functionality to PostgreSQL
>
> 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
> both backend and libpq read site-wide OpenSSL configuration file as
> described in OPENSSL_config functon manual page.
>
> This allows to use hardware crypto acceleration modules (engines) and,
> in future version 0.9.9 would allow to use additional cryptoalgorithms
> (i.e. national standards) which are not included in core OpenSSL.
>
> All other configuration parameters which are supported by OpenSSL
> library also are taken into account.
>
>
> 2. New configuration option "ssl_ciphers" is added to postgresql.conf.
> This option allows to change list of ciphers, acceptable by backend
> during SSL connection. Changing list of ciphers can be desirable to
> tighten or relax security of particular installation, and allows quick
> fix on configuration file level in case if vulnerability is discovered
> in one of cryptoalgorithms or their OpenSSL implementation - cipher
> suites which use such algorithm can be easily disabled.
>
>
> 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine
> support, it is possible to store secret key of client certificate on the
> hardware token, supported by one of OpenSSL engines (Hardware Security
> Module). Name of engine which supports token and engine-specific key ID
> are specifyed using environment variable PGSSLKEY.
>
> This allows use of hardware tokens such as smartcards to identify
> clients, connecting to database.
>
> This functionality can be used in installations with high security
> requirements or in situations where several people can use same terminal
> (such as cash register in shops or malls).
>
> If PostgreSQL is compiled with version of OpenSSL which do not support
> engines or doesn't have OPENSSL_config function, related functionality
> is excluded by preprocessor conditionals, based on value of
> SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all
> versions of OpenSSL.
>

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings

--
Bruce Momjian bruce@momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Your patch has been added to the PostgreSQL unapplied patches list at:

http://momjian.postgresql.org/cgi-bin/pgpatches

It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.

---------------------------------------------------------------------------


Victor B. Wagner wrote:
> This patch adds following functionality to PostgreSQL
>
> 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
> both backend and libpq read site-wide OpenSSL configuration file as
> described in OPENSSL_config functon manual page.
>
> This allows to use hardware crypto acceleration modules (engines) and,
> in future version 0.9.9 would allow to use additional cryptoalgorithms
> (i.e. national standards) which are not included in core OpenSSL.
>
> All other configuration parameters which are supported by OpenSSL
> library also are taken into account.
>
>
> 2. New configuration option "ssl_ciphers" is added to postgresql.conf.
> This option allows to change list of ciphers, acceptable by backend
> during SSL connection. Changing list of ciphers can be desirable to
> tighten or relax security of particular installation, and allows quick
> fix on configuration file level in case if vulnerability is discovered
> in one of cryptoalgorithms or their OpenSSL implementation - cipher
> suites which use such algorithm can be easily disabled.
>
>
> 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine
> support, it is possible to store secret key of client certificate on the
> hardware token, supported by one of OpenSSL engines (Hardware Security
> Module). Name of engine which supports token and engine-specific key ID
> are specifyed using environment variable PGSSLKEY.
>
> This allows use of hardware tokens such as smartcards to identify
> clients, connecting to database.
>
> This functionality can be used in installations with high security
> requirements or in situations where several people can use same terminal
> (such as cash register in shops or malls).
>
> If PostgreSQL is compiled with version of OpenSSL which do not support
> engines or doesn't have OPENSSL_config function, related functionality
> is excluded by preprocessor conditionals, based on value of
> SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all
> versions of OpenSSL.
>

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

Victor B. Wagner wrote:
> This patch adds following functionality to PostgreSQL
>
> 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
> both backend and libpq read site-wide OpenSSL configuration file as
> described in OPENSSL_config functon manual page.
>
> This allows to use hardware crypto acceleration modules (engines) and,
> in future version 0.9.9 would allow to use additional cryptoalgorithms
> (i.e. national standards) which are not included in core OpenSSL.
>
> All other configuration parameters which are supported by OpenSSL
> library also are taken into account.
>
>
> 2. New configuration option "ssl_ciphers" is added to postgresql.conf.
> This option allows to change list of ciphers, acceptable by backend
> during SSL connection. Changing list of ciphers can be desirable to
> tighten or relax security of particular installation, and allows quick
> fix on configuration file level in case if vulnerability is discovered
> in one of cryptoalgorithms or their OpenSSL implementation - cipher
> suites which use such algorithm can be easily disabled.

Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control
that from the site-wide OpenSSL configuration file added above?

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Never mind, I found the answer:

http://archives.postgresql.org/pgsql...8/msg01931.php

Working on the patch now.

---------------------------------------------------------------------------

Bruce Momjian wrote:
> Victor B. Wagner wrote:
> > This patch adds following functionality to PostgreSQL
> >
> > 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
> > both backend and libpq read site-wide OpenSSL configuration file as
> > described in OPENSSL_config functon manual page.
> >
> > This allows to use hardware crypto acceleration modules (engines) and,
> > in future version 0.9.9 would allow to use additional cryptoalgorithms
> > (i.e. national standards) which are not included in core OpenSSL.
> >
> > All other configuration parameters which are supported by OpenSSL
> > library also are taken into account.
> >
> >
> > 2. New configuration option "ssl_ciphers" is added to postgresql.conf.
> > This option allows to change list of ciphers, acceptable by backend
> > during SSL connection. Changing list of ciphers can be desirable to
> > tighten or relax security of particular installation, and allows quick
> > fix on configuration file level in case if vulnerability is discovered
> > in one of cryptoalgorithms or their OpenSSL implementation - cipher
> > suites which use such algorithm can be easily disabled.
>
> Why are you adding "ssl_ciphers" to postgresql.conf? Can't you control
> that from the site-wide OpenSSL configuration file added above?
>
> --
> Bruce Momjian <bruce@momjian.us> http://momjian.us
> EnterpriseDB http://www.enterprisedb.com
>
> + If your life is a hard drive, Christ can be your backup. +
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

Patch applied --- SSL improvements:

o read global SSL configuration file
o add GUC "ssl_ciphers" to control allowed ciphers
o add libpq environment variable PGSSLKEY to control SSL
hardware keys

I adjusted the documentation wording and some of the single-letter
variable names you used --- the applied verison is attached. Thanks.

---------------------------------------------------------------------------

Victor B. Wagner wrote:
> This patch adds following functionality to PostgreSQL
>
> 1. If PostgreSQL is compiled with OpenSSL version 0.9.7 and above,
> both backend and libpq read site-wide OpenSSL configuration file as
> described in OPENSSL_config functon manual page.
>
> This allows to use hardware crypto acceleration modules (engines) and,
> in future version 0.9.9 would allow to use additional cryptoalgorithms
> (i.e. national standards) which are not included in core OpenSSL.
>
> All other configuration parameters which are supported by OpenSSL
> library also are taken into account.
>
>
> 2. New configuration option "ssl_ciphers" is added to postgresql.conf.
> This option allows to change list of ciphers, acceptable by backend
> during SSL connection. Changing list of ciphers can be desirable to
> tighten or relax security of particular installation, and allows quick
> fix on configuration file level in case if vulnerability is discovered
> in one of cryptoalgorithms or their OpenSSL implementation - cipher
> suites which use such algorithm can be easily disabled.
>
>
> 3. If libpq compiled with OpenSSL 0.9.7 and above, compiled with engine
> support, it is possible to store secret key of client certificate on the
> hardware token, supported by one of OpenSSL engines (Hardware Security
> Module). Name of engine which supports token and engine-specific key ID
> are specifyed using environment variable PGSSLKEY.
>
> This allows use of hardware tokens such as smartcards to identify
> clients, connecting to database.
>
> This functionality can be used in installations with high security
> requirements or in situations where several people can use same terminal
> (such as cash register in shops or malls).
>
> If PostgreSQL is compiled with version of OpenSSL which do not support
> engines or doesn't have OPENSSL_config function, related functionality
> is excluded by preprocessor conditionals, based on value of
> SSLEAY_VERSION_NUMBER preprocessor symbol which is defined by all
> versions of OpenSSL.
>

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +


---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org