Ubuntu
postgresql-9.3 package

[trusty] Ability to use newer TLS versions

Bug #1399759 reported by Peter Wu
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-9.3 (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Triaged
Undecided
Unassigned

Bug Description

While the PostgresQL server supports versions higher than TLS 1.0, this is not enabled in libpq:

src/backend/libpq/be-secure.c:738: SSL_context = SSL_CTX_new(SSLv23_method());
src/interfaces/libpq/fe-secure.c:969: SSL_context = SSL_CTX_new(TLSv1_method());

Please consider applying this upstream patch on Ubuntu 14.04 LTS to improve compatibility with a TLSv1.2-only server:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=820f08cabdcbb8998050c3d4873e9619d6d8cba4;hp=3a5313265d53322519b5edce018ebdea14062bf9

Apart from that, you might also want to apply the following patch to disable SSLv3 on the server side (shouldn't hurt as libpq never supported SSLv3 before):
http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=326e1d73c476a0b5061ef00134bdf57aed70d5e7;hp=3fd3e34914a2aa520a8bc5109a773621385cf1f4

Binary package version:
libpq5 9.3.5-0ubuntu0.14.04.1

Source package version:
postgresql-9.3 9.3.5-0ubuntu0.14.04.1

Tags: patch trusty
Revision history for this message
Peter Wu (lekensteyn) wrote :
affects: postgresql-common (Ubuntu) → postgresql-9.4 (Ubuntu)
affects: postgresql-9.4 (Ubuntu) → postgresql-9.3 (Ubuntu)
Revision history for this message
Peter Wu (lekensteyn) wrote :

Even ECDHE-RSA-AES128-SHA (TLSv1.0) did not work, it turns out that another change is needed for ECDHE suites. Please consider applying this one too, it is more CPU friendly.

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3164721462d547fa2d15e2a2f07eb086a3590fd5;hp=91484409bdd17f330d10671d388b72d4ef1451d7

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "postgresql.git-820f08cabdcbb8998050c3d4873e9619d6d8cba4.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Martin Pitt (pitti)
Changed in postgresql-9.3 (Ubuntu):
status: New → Triaged
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → Triaged
Changed in postgresql-9.3 (Ubuntu):
status: Triaged → Invalid
Changed in postgresql-9.3 (Ubuntu Trusty):
assignee: nobody → Martin Pitt (pitti)
summary: - Ability to use newer TLS versions
+ [trusty] Ability to use newer TLS versions
Martin Pitt (pitti)
Changed in postgresql-9.3 (Ubuntu Trusty):
assignee: Martin Pitt (pitti) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.