external
/
citus
mirror of https://github.com/citusdata/citus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use Microsoft approved cipher string (#3639) 

This cipher string is approved by the Microsoft security team and only enables
TLSv1.2 ciphers.

(cherry picked from commit 149f0b2122)
pull/3647/head
Jelte Fennema 2020-03-24 15:51:44 +01:00
parent 8ed792cdb4
commit fc4e64ed9a
2 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/backend/distributed/utils/enable_ssl.c
View File

@ -37,7 +37,22 @@
#define X509_SUBJECT_COMMON_NAME "CN" #define X509_SUBJECT_COMMON_NAME "CN"
#define POSTGRES_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL" #define POSTGRES_DEFAULT_SSL_CIPHERS "HIGH:MEDIUM:+3DES:!aNULL"
#define CITUS_DEFAULT_SSL_CIPHERS "TLSv1.2+HIGH:!aNULL:!eNULL" #define CITUS_DEFAULT_SSL_CIPHERS_OLD "TLSv1.2+HIGH:!aNULL:!eNULL"
/*
* Microsoft approved cipher string.
* This cipher string implicitely enables only TLSv1.2+, because these ciphers
* were all added in TLSv1.2. This can be confirmed by running:
* openssl -v <below strings concatenated>
*/
#define CITUS_DEFAULT_SSL_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:" \
"ECDHE-ECDSA-AES256-GCM-SHA384:" \
"ECDHE-RSA-AES128-GCM-SHA256:" \
"ECDHE-RSA-AES256-GCM-SHA384:" \
"ECDHE-ECDSA-AES128-SHA256:" \
"ECDHE-ECDSA-AES256-SHA384:" \
"ECDHE-RSA-AES128-SHA256:" \
"ECDHE-RSA-AES256-SHA384"
#define SET_CITUS_SSL_CIPHERS_QUERY \ #define SET_CITUS_SSL_CIPHERS_QUERY \
"ALTER SYSTEM SET ssl_ciphers TO '" CITUS_DEFAULT_SSL_CIPHERS "';" "ALTER SYSTEM SET ssl_ciphers TO '" CITUS_DEFAULT_SSL_CIPHERS "';"

10
src/test/regress/expected/ssl_by_default.out
View File

@ -51,17 +51,17 @@ $$);
(2 rows) (2 rows)
SHOW ssl_ciphers; SHOW ssl_ciphers;
ssl_ciphers ssl_ciphers
--------------------------------------------------------------------- ---------------------------------------------------------------------
TLSv1.2+HIGH:!aNULL:!eNULL ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
(1 row) (1 row)
SELECT run_command_on_workers($$ SELECT run_command_on_workers($$
SHOW ssl_ciphers; SHOW ssl_ciphers;
$$); $$);
run_command_on_workers run_command_on_workers
--------------------------------------------------------------------- ---------------------------------------------------------------------
(localhost,57637,t,TLSv1.2+HIGH:!aNULL:!eNULL) (localhost,57637,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384)
(localhost,57638,t,TLSv1.2+HIGH:!aNULL:!eNULL) (localhost,57638,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384)
(2 rows) (2 rows)