Thread: BUG #13578: use cipher=NULL-SHA256 error when connect
The following bug has been logged on the website:
Bug reference: 13578
Logged by: digoal
Email address: digoal@126.com
PostgreSQL version: 9.4.4
Operating system: CentOS 6.x x64
Description:
HI,
why PostgreSQL 9.4.4 cann't use eNULL or NULL ciphers?
openssl version
openssl-1.0.1p
postgres@digoal-> /opt/openssl/bin/openssl ciphers -v 'eNULL'
ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1
ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1
NULL-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None
Mac=SHA256
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
I use the TLSv1.2 version NULL-SHA256.
ssl = on # (change requires restart)
ssl_ciphers = 'NULL-SHA256'
# (change requires restart)
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
#ssl_renegotiation_limit = 512MB # amount of data between
renegotiations
#ssl_renegotiation_limit = 0 # amount of data between renegotiations
#ssl_cert_file = 'server.crt' # (change requires restart)
#ssl_key_file = 'server.key' # (change requires restart)
#ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
postgres@digoal-> psql
postgresql://postgres:postgres@192.168.150.128:1921/postgres?sslmode=require\&application_name='ab'
psql: SSL error: sslv3 alert handshake failure
2015-08-18 15:36:50.801
CST,,,51545,"192.168.150.128:21611",55d2e092.c959,2,"",2015-08-18 15:36:50
CST,,0,LOG,08P01,"could not accept SSL connection: no shared
cipher",,,,,,,,"open_server_SSL, be-secure.c:1034",""
if (r <= 0)
{
err = SSL_get_error(port->ssl, r);
switch (err)
{
......
case SSL_ERROR_SSL:
ereport(COMMERROR,
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("could not accept
SSL connection: %s",
SSLerrmessage())));
but it can use SSLv3 IDEA-CBC-SHA , why?
src/backend/libpq/be-secure.c
/* set up ephemeral DH keys, and disallow SSL v2/v3 while at it */
SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
SSL_CTX_set_options(SSL_context,
SSL_OP_SINGLE_DH_USE
SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3);
src/interfaces/libpq/fe-secure.c
/* Disable old protocol versions */
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3);
[root@digoal postgresql-9.4.4]# /opt/openssl/bin/openssl ciphers -v
'ALL'|grep IDEA-CBC-SHA
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
when it connected, we can see the protocol: TLSv1.2, I confuse?
postgres@digoal-> psql
postgresql://postgres:postgres@192.168.150.128:1921/postgres?sslmode=require\&application_name='ab'
psql (9.4.4)
SSL connection (protocol: TLSv1.2, cipher: IDEA-CBC-SHA, bits: 128,
compression: on)
Type "help" for help.
postgres=#
digoal@126.com writes:
> why PostgreSQL 9.4.4 cann't use eNULL or NULL ciphers?
I believe we intentionally disallow that, because those "ciphers"
actually mean transmission in cleartext. If you're okay with
unencrypted connections, you needn't bother with SSL at all.
regards, tom lane
At 2015-08-19 05:32:40, "Tom Lane" <tgl@sss.pgh.pa.us> wrote:
>digoal@126.com writes: >> why PostgreSQL 9.4.4 cann't use eNULL or NULL ciphers? > >I believe we intentionally disallow that, because those "ciphers" >actually mean transmission in cleartext. If you're okay with >unencrypted connections, you needn't bother with SSL at all. >> regards, tom laneyes, but when people hope to use SSL's compression function, and don't need encrypted these data?the encryption will use some CPU, so it's performance will reduce little.regards, digoal