external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2540 from citusdata/fix/enforce-tls 

upgrade default ssl_ciphers to more restrictive on extension creation
pull/2546/head
Nils Dijk 2018-12-12 15:56:59 +01:00 committed by GitHub
parent 02c144378c 694992e946
commit 595179706c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/backend/distributed/utils/enable_ssl.c
View File

@ -35,6 +35,11 @@
#define CITUS_AUTO_SSL_COMMON_NAME "citus-auto-ssl" #define CITUS_AUTO_SSL_COMMON_NAME "citus-auto-ssl"
#define X509_SUBJECT_COMMON_NAME "CN" #define X509_SUBJECT_COMMON_NAME "CN"
#define POSTGRES_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
#define CITUS_DEFAULT_SSL_CIPHERS "TLSv1.2+HIGH:!aNULL:!eNULL"
#define SET_CITUS_SSL_CIPHERS_QUERY \
"ALTER SYSTEM SET ssl_ciphers TO '" CITUS_DEFAULT_SSL_CIPHERS "';"
/* forward declaration of helper functions */ /* forward declaration of helper functions */
static void GloballyReloadConfig(void); static void GloballyReloadConfig(void);
@ -80,6 +85,16 @@ citus_setup_ssl(PG_FUNCTION_ARGS)
enableSSLParseTree = ParseTreeNode(ENABLE_SSL_QUERY); enableSSLParseTree = ParseTreeNode(ENABLE_SSL_QUERY);
AlterSystemSetConfigFile((AlterSystemStmt *) enableSSLParseTree); AlterSystemSetConfigFile((AlterSystemStmt *) enableSSLParseTree);
if (strcmp(SSLCipherSuites, POSTGRES_DEFAULT_SSL_CIPHERS) == 0)
{
/*
* postgres default cipher suite is configured, these allow TSL 1 and TLS 1.1,
* citus will upgrade to TLS1.2+HIGH and above.
*/
Node *citusSSLCiphersParseTree = ParseTreeNode(SET_CITUS_SSL_CIPHERS_QUERY);
AlterSystemSetConfigFile((AlterSystemStmt *) citusSSLCiphersParseTree);
}
/* /*
* ssl=on requires that a key and certificate are present, since we have * ssl=on requires that a key and certificate are present, since we have
* enabled ssl mode here chances are the user didn't install credentials already. * enabled ssl mode here chances are the user didn't install credentials already.

15
src/test/regress/expected/ssl_by_default.out
View File

@ -61,3 +61,18 @@ $$);
(localhost,57638,t,t) (localhost,57638,t,t)
(2 rows) (2 rows)
SHOW ssl_ciphers;
ssl_ciphers
----------------------------
TLSv1.2+HIGH:!aNULL:!eNULL
(1 row)
SELECT run_command_on_workers($$
SHOW ssl_ciphers;
$$);
run_command_on_workers
------------------------------------------------
(localhost,57637,t,TLSv1.2+HIGH:!aNULL:!eNULL)
(localhost,57638,t,TLSv1.2+HIGH:!aNULL:!eNULL)
(2 rows)

5
src/test/regress/sql/ssl_by_default.sql
View File

@ -33,3 +33,8 @@ $$);
SELECT run_command_on_workers($$ SELECT run_command_on_workers($$
SELECT ssl FROM pg_stat_ssl WHERE pid = pg_backend_pid(); SELECT ssl FROM pg_stat_ssl WHERE pid = pg_backend_pid();
$$); $$);
SHOW ssl_ciphers;
SELECT run_command_on_workers($$
SHOW ssl_ciphers;
$$);