From fc4e64ed9a9d9ab6478b7b7f7ef815eb0161b471 Mon Sep 17 00:00:00 2001
From: Jelte Fennema <github-tech@jeltef.nl>
Date: Tue, 24 Mar 2020 15:51:44 +0100
Subject: [PATCH] Use Microsoft approved cipher string (#3639)

This cipher string is approved by the Microsoft security team and only enables
TLSv1.2 ciphers.

(cherry picked from commit 149f0b21226872f641001ff13a324b5f7c164ee6)
---
 src/backend/distributed/utils/enable_ssl.c   | 17 ++++++++++++++++-
 src/test/regress/expected/ssl_by_default.out | 10 +++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/backend/distributed/utils/enable_ssl.c b/src/backend/distributed/utils/enable_ssl.c
index f21857004..f3833923f 100644
--- a/src/backend/distributed/utils/enable_ssl.c
+++ b/src/backend/distributed/utils/enable_ssl.c
@@ -37,7 +37,22 @@
 #define X509_SUBJECT_COMMON_NAME "CN"
 
 #define POSTGRES_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
-#define CITUS_DEFAULT_SSL_CIPHERS "TLSv1.2+HIGH:!aNULL:!eNULL"
+#define CITUS_DEFAULT_SSL_CIPHERS_OLD "TLSv1.2+HIGH:!aNULL:!eNULL"
+
+/*
+ * Microsoft approved cipher string.
+ * This cipher string implicitely enables only TLSv1.2+, because these ciphers
+ * were all added in TLSv1.2. This can be confirmed by running:
+ * openssl -v <below strings concatenated>
+ */
+#define CITUS_DEFAULT_SSL_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:" \
+								  "ECDHE-ECDSA-AES256-GCM-SHA384:" \
+								  "ECDHE-RSA-AES128-GCM-SHA256:" \
+								  "ECDHE-RSA-AES256-GCM-SHA384:" \
+								  "ECDHE-ECDSA-AES128-SHA256:" \
+								  "ECDHE-ECDSA-AES256-SHA384:" \
+								  "ECDHE-RSA-AES128-SHA256:" \
+								  "ECDHE-RSA-AES256-SHA384"
 #define SET_CITUS_SSL_CIPHERS_QUERY \
 	"ALTER SYSTEM SET ssl_ciphers TO '" CITUS_DEFAULT_SSL_CIPHERS "';"
 
diff --git a/src/test/regress/expected/ssl_by_default.out b/src/test/regress/expected/ssl_by_default.out
index d75bc1b28..9a0357143 100644
--- a/src/test/regress/expected/ssl_by_default.out
+++ b/src/test/regress/expected/ssl_by_default.out
@@ -51,17 +51,17 @@ $$);
 (2 rows)
 
 SHOW ssl_ciphers;
-        ssl_ciphers
+                                                                                                       ssl_ciphers
 ---------------------------------------------------------------------
- TLSv1.2+HIGH:!aNULL:!eNULL
+ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
 (1 row)
 
 SELECT run_command_on_workers($$
     SHOW ssl_ciphers;
 $$);
-             run_command_on_workers
+                                                                                                           run_command_on_workers
 ---------------------------------------------------------------------
- (localhost,57637,t,TLSv1.2+HIGH:!aNULL:!eNULL)
- (localhost,57638,t,TLSv1.2+HIGH:!aNULL:!eNULL)
+ (localhost,57637,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384)
+ (localhost,57638,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384)
 (2 rows)