patternsqlModerate
How is possible to configure TLSv1.1 protocol for SSL connection in PostgreSQL?
Viewed 0 times
postgresqlprotocoltlsv1connectionpossibleforhowsslconfigure
Problem
I need to configure TLS 1.1 protocol for SSL connection in PostgreSQL.
I was not able to see protocol setting in the PostgreSQL configuration
It is required to disable SSL protocols and TLSv1 and enable only TLSv1.1 (or TLSv1.2)
Added
PCI DSS v3.1 requires that fallback to SSL and TLSv1 will be disabled.
Is it is possible to configure PostgreSQL to negotiate using TLSv1.1 only?
If you know that it is impossible please share this information
Added 2
Unfortunately, the configuration of
https://www.openssl.org/docs/manmaster/ssl/ssl.html.
My conclusion that the configuration of
Please correct me if I am wrong.
I was not able to see protocol setting in the PostgreSQL configuration
It is required to disable SSL protocols and TLSv1 and enable only TLSv1.1 (or TLSv1.2)
Added
PCI DSS v3.1 requires that fallback to SSL and TLSv1 will be disabled.
Is it is possible to configure PostgreSQL to negotiate using TLSv1.1 only?
If you know that it is impossible please share this information
Added 2
Unfortunately, the configuration of
ssl_ciphers is not enough since you can use same ciphers for different protocols. It is required to configure SSL_METHOD as described here:https://www.openssl.org/docs/manmaster/ssl/ssl.html.
My conclusion that the configuration of
SSL_METHOD (or SSL_PROTOCOL) is missed from the PostgreSQL configuration and it can not be complaint to PCI DSS 3.1.Please correct me if I am wrong.
Solution
@BrianEfting was correct, you can specify the appropriate cipher suites to only allow TLSv1.2 which should fit your PCI-DSS 3.1 specification needs.
Using a cipher list like this in the
along with setting
You can verify this using SSLyze which knows about the PostgreSQL protocol.
To test, I used the following command:
Which gave the output below under PostgreSQL 9.4 on Debian Wheezy showing that all cipher suites except for the TLSv1.2 ciphers specified were rejected, which should satisfy the requirements of PCI-DSS 3.1 by using TLSv1.1 or greater.
Using a cipher list like this in the
ssl_ciphers option in your postgresql.conf:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSKalong with setting
ssl_prefer_server_ciphers=true, should be sufficient to allow only TLSv1.2 connections. You can verify this using SSLyze which knows about the PostgreSQL protocol.
To test, I used the following command:
./sslyze.py --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 localhost:5432 --starttls=postgres --hide_rejected_ciphersWhich gave the output below under PostgreSQL 9.4 on Debian Wheezy showing that all cipher suites except for the TLSv1.2 ciphers specified were rejected, which should satisfy the requirements of PCI-DSS 3.1 by using TLSv1.1 or greater.
postgres@pgsqlsec4:~/sslyze$ ./sslyze.py --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 localhost:5432 --starttls=postgres --hide_rejected_ciphers
AVAILABLE PLUGINS
-----------------
PluginCompression
PluginHeartbleed
PluginChromeSha1Deprecation
PluginSessionRenegotiation
PluginOpenSSLCipherSuites
PluginSessionResumption
PluginHSTS
PluginCertInfo
CHECKING HOST(S) AVAILABILITY
-----------------------------
localhost:5432 => ::1:5432
SCAN RESULTS FOR LOCALHOST:5432 - ::1:5432
------------------------------------------
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_2 Cipher Suites:
Preferred:
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits
Accepted:
ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits
DHE-RSA-AES256-SHA256 DH-1024 bits 256 bits
DHE-RSA-AES256-GCM-SHA384 DH-1024 bits 256 bits
ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits
DHE-RSA-AES128-SHA256 DH-1024 bits 128 bits
DHE-RSA-AES128-GCM-SHA256 DH-1024 bits 128 bits
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
SCAN COMPLETED IN 0.73 S
------------------------
postgres@pgsqlsec4:~/sslyze$Code Snippets
postgres@pgsqlsec4:~/sslyze$ ./sslyze.py --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 localhost:5432 --starttls=postgres --hide_rejected_ciphers
AVAILABLE PLUGINS
-----------------
PluginCompression
PluginHeartbleed
PluginChromeSha1Deprecation
PluginSessionRenegotiation
PluginOpenSSLCipherSuites
PluginSessionResumption
PluginHSTS
PluginCertInfo
CHECKING HOST(S) AVAILABILITY
-----------------------------
localhost:5432 => ::1:5432
SCAN RESULTS FOR LOCALHOST:5432 - ::1:5432
------------------------------------------
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_2 Cipher Suites:
Preferred:
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits
Accepted:
ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits
DHE-RSA-AES256-SHA256 DH-1024 bits 256 bits
DHE-RSA-AES256-GCM-SHA384 DH-1024 bits 256 bits
ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits
DHE-RSA-AES128-SHA256 DH-1024 bits 128 bits
DHE-RSA-AES128-GCM-SHA256 DH-1024 bits 128 bits
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
SCAN COMPLETED IN 0.73 S
------------------------
postgres@pgsqlsec4:~/sslyze$Context
StackExchange Database Administrators Q#115422, answer score: 14
Revisions (0)
No revisions yet.