SSL Connection still showing TLSv1.3 even it is disabled inssl_ciphers - Mailing list pgsql-hackers
| From | tushar |
|---|---|
| Subject | SSL Connection still showing TLSv1.3 even it is disabled inssl_ciphers |
| Date | |
| Msg-id | 58f22537-0c67-88a4-f94c-5cf0e78bf0a7@enterprisedb.com Whole thread Raw |
| Responses |
Re: SSL Connection still showing TLSv1.3 even it is disabled in ssl_ciphers
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-hackers |
Hi ,
While testing SSL version 1.1.1c , I only enabled TLSv1.2 and rest including TLSv1.3 has been disabled , like this -
postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
To cofirm the same, there is a tool called - sslyze ( SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it)
(https://github.com/nabla-c0d3/sslyze) which i configured on my machine .
Run this command -
[root@localhost Downloads]# python -m sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 --tlsv1_3 localhost:5432 --starttls=postgres --hide_rejected_ciphers
AVAILABLE PLUGINS
-----------------
CompressionPlugin
HttpHeadersPlugin
OpenSslCcsInjectionPlugin
OpenSslCipherSuitesPlugin
SessionResumptionPlugin
FallbackScsvPlugin
CertificateInfoPlugin
RobotPlugin
HeartbleedPlugin
SessionRenegotiationPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
localhost:5432 => 127.0.0.1
SCAN RESULTS FOR LOCALHOST:5432 - 127.0.0.1
-------------------------------------------
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
Accepted:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256 bits
RSA_WITH_AES_256_CCM_8 - 256 bits
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - 256 bits
RSA_WITH_AES_256_CCM - 256 bits
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - 256 bits
ARIA256-GCM-SHA384 - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits
DHE_RSA_WITH_AES_256_CCM_8 - 256 bits
ECDHE-ARIA256-GCM-SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
TLS_DHE_RSA_WITH_AES_256_CCM - 256 bits
DHE-RSA-ARIA256-GCM-SHA384 - 256 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
RSA_WITH_AES_128_CCM_8 - 128 bits
RSA_WITH_AES_128_CCM - 128 bits
DHE_RSA_WITH_AES_128_CCM - 128 bits
DHE_RSA_WITH_AES_128_CCM_8 - 128 bits
ARIA128-GCM-SHA256 - 128 bits
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048 bits 128 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits
ECDHE-ARIA128-GCM-SHA256 - 128 bits
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
DHE-RSA-ARIA128-GCM-SHA256 - 128 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
SCAN COMPLETED IN 0.84 S
------------------------
These are the ones which got rejected for TLSV1_3
* TLSV1_3 Cipher Suites:
Rejected:
TLS_CHACHA20_POLY1305_SHA256 TLS / Alert: protocol version
TLS_AES_256_GCM_SHA384 TLS / Alert: protocol version
TLS_AES_128_GCM_SHA256 TLS / Alert: protocol version
TLS_AES_128_CCM_SHA256 TLS / Alert: protocol version
TLS_AES_128_CCM_8_SHA256 TLS / Alert: protocol version
when i connect to psql terminal -
psql.bin (10.9)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
(1 row)
postgres=#
Cipher which has been rejected -should not display in the message.
Is this expected ?
-- regards,tushar EnterpriseDB https://www.enterprisedb.com/ The Enterprise PostgreSQL Company
pgsql-hackers by date: