external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use Microsoft approved cipher string (#3639) 

This cipher string is approved by the Microsoft security team and only enables
TLSv1.2 ciphers.
pull/3648/head
Jelte Fennema 2020-03-24 15:51:44 +01:00 committed by GitHub
parent 2aabe3e2ef
commit 149f0b2122
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/backend/distributed/utils/enable_ssl.c
View File

@ -37,7 +37,22 @@
#define X509_SUBJECT_COMMON_NAME "CN"
#define POSTGRES_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
#define CITUS_DEFAULT_SSL_CIPHERS "TLSv1.2+HIGH:!aNULL:!eNULL"
#define CITUS_DEFAULT_SSL_CIPHERS_OLD "TLSv1.2+HIGH:!aNULL:!eNULL"
/*
* Microsoft approved cipher string.
* This cipher string implicitely enables only TLSv1.2+, because these ciphers
* were all added in TLSv1.2. This can be confirmed by running:
* openssl -v <below strings concatenated>
*/
#define CITUS_DEFAULT_SSL_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:" \
"ECDHE-ECDSA-AES256-GCM-SHA384:" \
"ECDHE-RSA-AES128-GCM-SHA256:" \
"ECDHE-RSA-AES256-GCM-SHA384:" \
"ECDHE-ECDSA-AES128-SHA256:" \
"ECDHE-ECDSA-AES256-SHA384:" \
"ECDHE-RSA-AES128-SHA256:" \
"ECDHE-RSA-AES256-SHA384"
#define SET_CITUS_SSL_CIPHERS_QUERY \
"ALTER SYSTEM SET ssl_ciphers TO '" CITUS_DEFAULT_SSL_CIPHERS "';"

6
src/test/regress/expected/ssl_by_default.out
View File

@ -53,7 +53,7 @@ $$);
SHOW ssl_ciphers;
ssl_ciphers
---------------------------------------------------------------------
TLSv1.2+HIGH:!aNULL:!eNULL
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
(1 row)
SELECT run_command_on_workers($$
@ -61,7 +61,7 @@ SELECT run_command_on_workers($$
$$);
run_command_on_workers
---------------------------------------------------------------------
(localhost,57637,t,TLSv1.2+HIGH:!aNULL:!eNULL)
(localhost,57638,t,TLSv1.2+HIGH:!aNULL:!eNULL)
(localhost,57637,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384)
(localhost,57638,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384)
(2 rows)