Thread: PostgreSQL SSL params
Hi,
I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH". Still, the security team complains that weak ciphers are accepted at server side (They have run some security tests). Security team suggesting to use ssl_dh_params_file.
As per my understanding, DH is a key exchange protocol (read in some forum). DH is used to securely generate a common key between two parties, other algorithms are used for encryption itself. So I believe that dhparam does not help in resolving weak cipher issues. Need some insight on this.
Also, Are there any changes required at client side to connect to the database if ssl_dh_params_file is set at server side?
how to make sure that PG accepts only high ciphers? Please suggest.
Note: I have installed PG version 13.1 on a few servers and 13.3 on a few servers.
Regards,
Pramod
pramod kg <pramod11287@gmail.com> writes:
> I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH".
> Still, the security team complains that weak ciphers are accepted at server
> side (They have run some security tests).
The default setting of that is
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
Perhaps the problem is your ill-advised removal of the !aNULL part.
regards, tom lane
Should it be combination of
'HIGH:!aNULL' ??
'HIGH:!aNULL' ??
Regards,
Pramod
On Sun, 13 Jun 2021, 20:34 Tom Lane, <tgl@sss.pgh.pa.us> wrote:
pramod kg <pramod11287@gmail.com> writes:
> I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH".
> Still, the security team complains that weak ciphers are accepted at server
> side (They have run some security tests).
The default setting of that is
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
Perhaps the problem is your ill-advised removal of the !aNULL part.
regards, tom lane
On 13.06.21 16:20, pramod kg wrote: > I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH". > Still, the security team complains that weak ciphers are accepted at > server side (They have run some security tests). Try to get a list of specific ciphers that they object to. Then you can use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings. > Security team > suggesting to use ssl_dh_params_file. > > As per my understanding, DH is a key exchange protocol (read in some > forum). DH is used to securely generate a common key between two > parties, other algorithms are used for encryption itself. So I > believe that dhparam does not help in resolving weak cipher issues. Need > some insight on this. I think you are correct on this.
Try to get a list of specific ciphers that they object to. Then you can
use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.
use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.
Okay. Will do thanks.
On Mon, Jun 14, 2021 at 1:23 PM Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
On 13.06.21 16:20, pramod kg wrote:
> I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH".
> Still, the security team complains that weak ciphers are accepted at
> server side (They have run some security tests).
Try to get a list of specific ciphers that they object to. Then you can
use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.
> Security team
> suggesting to use ssl_dh_params_file.
>
> As per my understanding, DH is a key exchange protocol (read in some
> forum). DH is used to securely generate a common key between two
> parties, other algorithms are used for encryption itself. So I
> believe that dhparam does not help in resolving weak cipher issues. Need
> some insight on this.
I think you are correct on this.