ssl_library parameter

Started by Peter Eisentrautover 7 years ago5 messages

peter.eisentraut@2ndquadrant.com

over 7 years ago

1 attachment(s)

Extracted from the GnuTLS thread/patch, here is a patch to add a
server-side read-only parameter ssl_library, which currently reports
either 'OpenSSL' or an empty string, depending on what SSL library was
built with. This is analogous to the libpq function call
PQsslAttribute(conn, "library"), but there was no equivalent
functionality on the server side.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Attachments:

0001-Add-ssl_library-preset-parameter.patchtext/plain; charset=UTF-8; name=0001-Add-ssl_library-preset-parameter.patch; x-mac-creator=0; x-mac-type=0Download

From e9fe0423edb388a39b8d53e55d2be1cb37809256 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter_e@gmx.net>
Date: Tue, 26 Jun 2018 10:19:35 +0200
Subject: [PATCH] Add ssl_library preset parameter

This allows querying the SSL implementation used on the server side.
It's analogous to using PQsslAttribute(conn, "library") in libpq.
---
 doc/src/sgml/config.sgml       | 16 ++++++++++++++++
 src/backend/libpq/be-secure.c  |  1 +
 src/backend/utils/misc/guc.c   | 15 +++++++++++++++
 src/include/libpq/libpq.h      |  1 +
 src/test/ssl/t/001_ssltests.pl |  7 ++++++-
 5 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7bfbc87109..d3c8823746 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -8370,6 +8370,22 @@ <title>Preset Options</title>
       </listitem>
      </varlistentry>
 
+     <varlistentry id="guc-ssl-library" xreflabel="ssl_library">
+      <term><varname>ssl_library</varname> (<type>string</type>)
+      <indexterm>
+       <primary><varname>ssl_library</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Reports the name of the SSL library that this PostgreSQL server was
+        built with (even if SSL is not currently configured or in use on this
+        instance), for example <literal>OpenSSL</literal>, or an empty string
+        if none.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-wal-block-size" xreflabel="wal_block_size">
       <term><varname>wal_block_size</varname> (<type>integer</type>)
       <indexterm>
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index edfe2c0751..d349d7c2c7 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -38,6 +38,7 @@
 #include "storage/proc.h"
 
 
+char	   *ssl_library;
 char	   *ssl_cert_file;
 char	   *ssl_key_file;
 char	   *ssl_ca_file;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 859ef931e7..bdbb6ad528 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -3715,6 +3715,21 @@ static struct config_string ConfigureNamesString[] =
 		check_canonical_path, NULL, NULL
 	},
 
+	{
+		{"ssl_library", PGC_INTERNAL, PRESET_OPTIONS,
+			gettext_noop("Name of the SSL library."),
+			NULL,
+			GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+		},
+		&ssl_library,
+#ifdef USE_SSL
+		"OpenSSL",
+#else
+		"",
+#endif
+		NULL, NULL, NULL
+	},
+
 	{
 		{"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SSL,
 			gettext_noop("Location of the SSL server certificate file."),
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 7bf06c65e9..36baf6b919 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -75,6 +75,7 @@ extern int	pq_putbytes(const char *s, size_t len);
 /*
  * prototypes for functions in be-secure.c
  */
+extern char *ssl_library;
 extern char *ssl_cert_file;
 extern char *ssl_key_file;
 extern char *ssl_ca_file;
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index e550207454..2b875a3c95 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -8,7 +8,7 @@
 
 if ($ENV{with_openssl} eq 'yes')
 {
-	plan tests => 64;
+	plan tests => 65;
 }
 else
 {
@@ -49,6 +49,11 @@
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
+
+# Run this before we lock down access below.
+my $result = $node->safe_psql('postgres', "SHOW ssl_library");
+is($result, 'OpenSSL', 'ssl_library parameter');
+
 configure_test_server_for_ssl($node, $SERVERHOSTADDR, 'trust');
 
 note "testing password-protected keys";
-- 
2.18.0

Daniel Gustafsson

daniel@yesql.se

over 7 years ago

In reply to: Peter Eisentraut (#1)

Re: ssl_library parameter

On 26 Jun 2018, at 11:06, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:

Extracted from the GnuTLS thread/patch, here is a patch to add a
server-side read-only parameter ssl_library, which currently reports
either 'OpenSSL' or an empty string, depending on what SSL library was
built with. This is analogous to the libpq function call
PQsslAttribute(conn, "library"), but there was no equivalent
functionality on the server side.

Looks good to me, +1

cheers ./daniel

Tom Lane

tgl@sss.pgh.pa.us

over 7 years ago

In reply to: Peter Eisentraut (#1)

Re: ssl_library parameter

Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:

Extracted from the GnuTLS thread/patch, here is a patch to add a
server-side read-only parameter ssl_library, which currently reports
either 'OpenSSL' or an empty string, depending on what SSL library was
built with. This is analogous to the libpq function call
PQsslAttribute(conn, "library"), but there was no equivalent
functionality on the server side.

(1) I'm not really clear why we need this. GUC variables aren't free.

(2) Are there security issues with exposing this info to everybody?

regards, tom lane

Peter Eisentraut

peter.eisentraut@2ndquadrant.com

over 7 years ago

In reply to: Tom Lane (#3)

Re: ssl_library parameter

On 6/26/18 17:48, Tom Lane wrote:

(1) I'm not really clear why we need this. GUC variables aren't free.

(2) Are there security issues with exposing this info to everybody?

This functionality was requested in the threads about GnuTLS and other
SSL implementations so that users/admins can determine which SSL
settings are applicable.

I'm not sure about the security impact. We do expose all the other
ssl_* settings to ordinary users, so if users want to see whether the
server is misconfigured or something like that, they can already do
that. I think in the context of an SSL connection, the server is not
supposed to be the adversary of the client, so if the server can provide
more information about what it's doing to protect the client's
information, then the better.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Peter Eisentraut

peter.eisentraut@2ndquadrant.com

over 7 years ago

In reply to: Daniel Gustafsson (#2)

Re: ssl_library parameter

On 26/06/2018 11:49, Daniel Gustafsson wrote:

Extracted from the GnuTLS thread/patch, here is a patch to add a
server-side read-only parameter ssl_library, which currently reports
either 'OpenSSL' or an empty string, depending on what SSL library was
built with. This is analogous to the libpq function call
PQsslAttribute(conn, "library"), but there was no equivalent
functionality on the server side.

Looks good to me, +1

committed

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services