From 694992e946ef181d84f37546afe0011c54b1b8b9 Mon Sep 17 00:00:00 2001
From: Nils Dijk <nils@citusdata.com>
Date: Tue, 11 Dec 2018 17:39:19 +0100
Subject: [PATCH] upgrade default ssl_ciphers to more restrictive on extension
 creation

Show ssl_ciphers in ssl_by_default_test
---
 src/backend/distributed/utils/enable_ssl.c   | 15 +++++++++++++++
 src/test/regress/expected/ssl_by_default.out | 15 +++++++++++++++
 src/test/regress/sql/ssl_by_default.sql      |  5 +++++
 3 files changed, 35 insertions(+)

diff --git a/src/backend/distributed/utils/enable_ssl.c b/src/backend/distributed/utils/enable_ssl.c
index 26ba3cbda..5f32e8a47 100644
--- a/src/backend/distributed/utils/enable_ssl.c
+++ b/src/backend/distributed/utils/enable_ssl.c
@@ -35,6 +35,11 @@
 #define CITUS_AUTO_SSL_COMMON_NAME "citus-auto-ssl"
 #define X509_SUBJECT_COMMON_NAME "CN"
 
+#define POSTGRES_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
+#define CITUS_DEFAULT_SSL_CIPHERS "TLSv1.2+HIGH:!aNULL:!eNULL"
+#define SET_CITUS_SSL_CIPHERS_QUERY \
+	"ALTER SYSTEM SET ssl_ciphers TO '" CITUS_DEFAULT_SSL_CIPHERS "';"
+
 
 /* forward declaration of helper functions */
 static void GloballyReloadConfig(void);
@@ -80,6 +85,16 @@ citus_setup_ssl(PG_FUNCTION_ARGS)
 		enableSSLParseTree = ParseTreeNode(ENABLE_SSL_QUERY);
 		AlterSystemSetConfigFile((AlterSystemStmt *) enableSSLParseTree);
 
+		if (strcmp(SSLCipherSuites, POSTGRES_DEFAULT_SSL_CIPHERS) == 0)
+		{
+			/*
+			 * postgres default cipher suite is configured, these allow TSL 1 and TLS 1.1,
+			 * citus will upgrade to TLS1.2+HIGH and above.
+			 */
+			Node *citusSSLCiphersParseTree = ParseTreeNode(SET_CITUS_SSL_CIPHERS_QUERY);
+			AlterSystemSetConfigFile((AlterSystemStmt *) citusSSLCiphersParseTree);
+		}
+
 		/*
 		 * ssl=on requires that a key and certificate are present, since we have
 		 * enabled ssl mode here chances are the user didn't install credentials already.
diff --git a/src/test/regress/expected/ssl_by_default.out b/src/test/regress/expected/ssl_by_default.out
index 4f18b2632..b43010b47 100644
--- a/src/test/regress/expected/ssl_by_default.out
+++ b/src/test/regress/expected/ssl_by_default.out
@@ -61,3 +61,18 @@ $$);
  (localhost,57638,t,t)
 (2 rows)
 
+SHOW ssl_ciphers;
+        ssl_ciphers         
+----------------------------
+ TLSv1.2+HIGH:!aNULL:!eNULL
+(1 row)
+
+SELECT run_command_on_workers($$
+    SHOW ssl_ciphers;
+$$);
+             run_command_on_workers             
+------------------------------------------------
+ (localhost,57637,t,TLSv1.2+HIGH:!aNULL:!eNULL)
+ (localhost,57638,t,TLSv1.2+HIGH:!aNULL:!eNULL)
+(2 rows)
+
diff --git a/src/test/regress/sql/ssl_by_default.sql b/src/test/regress/sql/ssl_by_default.sql
index 7a00c47a4..0d16960bc 100644
--- a/src/test/regress/sql/ssl_by_default.sql
+++ b/src/test/regress/sql/ssl_by_default.sql
@@ -33,3 +33,8 @@ $$);
 SELECT run_command_on_workers($$
     SELECT ssl FROM pg_stat_ssl WHERE pid = pg_backend_pid();
 $$);
+
+SHOW ssl_ciphers;
+SELECT run_command_on_workers($$
+    SHOW ssl_ciphers;
+$$);