Thread: Fwd: Enforcing TLS 1.3 as a a minimum version

I am running pgAdmin 9.1 in a podman container and am trying to ensure that TLS 1.3 is the minimum version.    I have created an override file and I know that it is being read at startup but the enforcement of TLS 1.3 is not happening.   I am using this configuration as suggested by the documentation here:  https://docs.gunicorn.org/en/21.2.0/settings.html

Any idea of what to check.  I know the file is being parsed because if I introduce a bad config, it is noted at startup.

Also, where or how is the instance variable for the config defined?

"The callable needs to accept an instance variable for the Config"

The below is a file mapped into the container called gunicorn_config.py

def ssl_context(conf, default_ssl_context_factory):    import ssl    context = default_ssl_context_factory()    context.minimum_version = ssl.TLSVersion.TLSv1_3    return context

Hello,

I am on a closed network so I can't copy my files and have to retype them.    I have verified  that the file below is being parsed when the container starts.    My config.py is default as shipped with the container.    I was previously able to get this to work with pgAdmin 8.6 and TLS 1.2  (no ssl_context required)  before the requirement to upgrade to pgAdmin 9.1 and TLS 1.3 (using ssl_context).

I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as my certs which are valid.   There are no errors at startup in the container logs.

Here are the total contents of gunicorn_config.py

*********   BEGIN ********************

   import gunicorn

   gunicorn.SERVER_SOFTWARE = 'Python'

   conf = '/pgadmin4/config.py'

   #ssl_version = 'TLSv1_2'     -- working 8.6 setting

   #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull'  -- working 8.6 setting

def ssl_context(conf, default_ssl_context_factory):    import ssl    context = default_ssl_context_factory()    context.minimum_version = ssl.TLSVersion.TLSv1_3    return context

*******  EOF  **************

I test TLS version using openssl like this:

# openssl s_client -showcerts -tls1_2 -connect hostname:port

The above command gets a valid response with a  TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383.   I would expect this not to work.

Thanks, John

On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

Hi,

On Tue, Apr 8, 2025 at 12:00 AM John Barker <johnobarker@gmail.com> wrote:

I am running pgAdmin 9.1 in a podman container and am trying to ensure that TLS 1.3 is the minimum version.    I have created an override file and I know that it is being read at startup but the enforcement of TLS 1.3 is not happening.   I am using this configuration as suggested by the documentation here:  https://docs.gunicorn.org/en/21.2.0/settings.html

Any idea of what to check.  I know the file is being parsed because if I introduce a bad config, it is noted at startup.

Also, where or how is the instance variable for the config defined?

"The callable needs to accept an instance variable for the Config"

Can you please share your  gunicorn_config.py file?
The code looks good to me, and you said that you mapped the correct Gunicorn config file from the container.

Also, what testing have you done to check whether the TLS version is enforced or not?

The below is a file mapped into the container called gunicorn_config.py

def ssl_context(conf, default_ssl_context_factory):    import ssl    context = default_ssl_context_factory()    context.minimum_version = ssl.TLSVersion.TLSv1_3    return context

What is the output of  `curl  -v <pgadmin_url>`   ? 

The curl connects successfully but gives no information:

curl: (52) Empty reply from server.

On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

[...Looping pgAdmin-Support]

On Tue, Apr 8, 2025 at 9:19 PM John Barker <johnobarker@gmail.com> wrote:

Hello,

I am on a closed network so I can't copy my files and have to retype them.    I have verified  that the file below is being parsed when the container starts.    My config.py is default as shipped with the container.    I was previously able to get this to work with pgAdmin 8.6 and TLS 1.2  (no ssl_context required)  before the requirement to upgrade to pgAdmin 9.1 and TLS 1.3 (using ssl_context).

I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as my certs which are valid.   There are no errors at startup in the container logs.

Here are the total contents of gunicorn_config.py

*********   BEGIN ********************

   import gunicorn

   gunicorn.SERVER_SOFTWARE = 'Python'

   conf = '/pgadmin4/config.py'

   #ssl_version = 'TLSv1_2'     -- working 8.6 setting

   #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull'  -- working 8.6 setting

def ssl_context(conf, default_ssl_context_factory):    import ssl    context = default_ssl_context_factory()    context.minimum_version = ssl.TLSVersion.TLSv1_3    return context

*******  EOF  **************

This code looks fine. 

I test TLS version using openssl like this:

# openssl s_client -showcerts -tls1_2 -connect hostname:port

What is the output of   `curl  -v <pgadmin_url>`   ?

The above command gets a valid response with a  TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383.   I would expect this not to work.

Thanks, John

On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

Hi,

On Tue, Apr 8, 2025 at 12:00 AM John Barker <johnobarker@gmail.com> wrote:

I am running pgAdmin 9.1 in a podman container and am trying to ensure that TLS 1.3 is the minimum version.    I have created an override file and I know that it is being read at startup but the enforcement of TLS 1.3 is not happening.   I am using this configuration as suggested by the documentation here:  https://docs.gunicorn.org/en/21.2.0/settings.html

Any idea of what to check.  I know the file is being parsed because if I introduce a bad config, it is noted at startup.

Also, where or how is the instance variable for the config defined?

"The callable needs to accept an instance variable for the Config"

Can you please share your  gunicorn_config.py file?
The code looks good to me, and you said that you mapped the correct Gunicorn config file from the container.

Also, what testing have you done to check whether the TLS version is enforced or not?

The below is a file mapped into the container called gunicorn_config.py

def ssl_context(conf, default_ssl_context_factory):    import ssl    context = default_ssl_context_factory()    context.minimum_version = ssl.TLSVersion.TLSv1_3    return context