Thread: [HACKERS] libpq connection strings: control over the cipher suites?
Hi all, According to the docs at https://www.postgresql.org/docs/9.5/static/libpq-connect.html#LIBPQ-CONNSTRING there are variousparameters that control ssl from the client side, including providing the ssl certs, keys, etc. Is there a parameter or mechanism for setting the required ssl cipher list from the client side? Regards, Graham —
On 11/09/2017 03:27 AM, Graham Leggett wrote: > Is there a parameter or mechanism for setting the required ssl cipher list from the client side? I don't believe so. That is controlled by ssl_ciphers, which requires a restart in order to change. https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS select name,setting,context from pg_settings where name like '%ssl%'; name | setting | context ---------------------------+--------------------------+------------ssl | off |postmasterssl_ca_file | | postmasterssl_cert_file | server.crt | postmasterssl_ciphers | HIGH:MEDIUM:+3DES:!aNULL | postmasterssl_crl_file | | postmasterssl_ecdh_curve | prime256v1 | postmasterssl_key_file |server.key | postmasterssl_prefer_server_ciphers | on | postmaster (8 rows) HTH, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
On Fri, Nov 10, 2017 at 2:53 AM, Joe Conway <mail@joeconway.com> wrote: > On 11/09/2017 03:27 AM, Graham Leggett wrote: >> Is there a parameter or mechanism for setting the required ssl cipher list from the client side? > > I don't believe so. That is controlled by ssl_ciphers, which requires a > restart in order to change. > > https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS Since commit de41869 present in v10, SSL parameters can be reloaded. On libpq there is only an API to have a look at what are the ciphers set by the server via PQsslAttribute(). -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
On 11/09/2017 03:17 PM, Michael Paquier wrote: > On Fri, Nov 10, 2017 at 2:53 AM, Joe Conway <mail@joeconway.com> wrote: >> On 11/09/2017 03:27 AM, Graham Leggett wrote: >>> Is there a parameter or mechanism for setting the required ssl cipher list from the client side? >> >> I don't believe so. That is controlled by ssl_ciphers, which requires a >> restart in order to change. >> >> https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS > > Since commit de41869 present in v10, SSL parameters can be reloaded. Oh, cool, I must have missed that -- thanks! Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development