Participants
Ehtesham Pradhan
Ehtesham Pradhan
Tom Lane
Tom Lane
Steve Crawford
Steve Crawford
Attachments
Show all attachments
Thread Outline
#1Ehtesham PradhanEhtesham Pradhan
Aug 06, 2021
#2Tom LaneTom Laneto Ehtesham Pradhan (#1)
Aug 06, 2021
#3Steve CrawfordSteve Crawfordto Tom Lane (#2)
Aug 06, 2021

TLS 1.0

Started by Ehtesham Pradhanover 4 years ago3 messagesgeneral
Jump to latest
#1Ehtesham Pradhan
Ehtesham Pradhan
ehtesham.pradhan@lookout.com

Hi Team,

Our client is using Version : PostgreSQL 9.6.17 , they have done vulnerability
assessment and found that :

- TLS version 1.0 Protocol detection
- The remote service encrypt traffic with older version of TLS

We suggested the below changes in PostgresSQL.conf

ssl_ciphers = 'HIGH:!aNULL' *OR *ssl_ciphers = 'HIGH:TLSv1.2:!aNULL'
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'prime256v1'

But the scan report is still the same. Can you please guide with the
configuration in the present Postgres version to remediate it.

Thanks

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Ehtesham Pradhan (#1)
Re: TLS 1.0

Ehtesham Pradhan <ehtesham.pradhan@lookout.com> writes:

Our client is using Version : PostgreSQL 9.6.17 , they have done vulnerability
assessment and found that :

- TLS version 1.0 Protocol detection
- The remote service encrypt traffic with older version of TLS

This is mostly a matter of whether the OpenSSL libraries being used on
both ends are up-to-date. If you were using PG 12 or later you could
set the server parameter ssl_min_protocol_version to enforce whatever
policy you want about minimum TLS version. But in 9.6.x it's going
to be strictly a matter of what OpenSSL wants to do. Check the
system-wide OpenSSL configuration on each end, and update OpenSSL
if necessary. At least with reasonably modern OpenSSL, you should
be able to enforce a minimum TLS version in OpenSSL's config
(see MinProtocol).

regards, tom lane

#3Steve Crawford
Steve Crawford
scrawford@pinpointresearch.com
In reply to: Tom Lane (#2)
Re: TLS 1.0

From a security audit point of view, also consider the fact that 9.6 is
end-of-life in 3 months.

-Steve

On Fri, Aug 6, 2021 at 9:46 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Show quoted text

Ehtesham Pradhan <ehtesham.pradhan@lookout.com> writes:

Our client is using Version : PostgreSQL 9.6.17 , they have done

vulnerability

assessment and found that :

- TLS version 1.0 Protocol detection
- The remote service encrypt traffic with older version of TLS

This is mostly a matter of whether the OpenSSL libraries being used on
both ends are up-to-date. If you were using PG 12 or later you could
set the server parameter ssl_min_protocol_version to enforce whatever
policy you want about minimum TLS version. But in 9.6.x it's going
to be strictly a matter of what OpenSSL wants to do. Check the
system-wide OpenSSL configuration on each end, and update OpenSSL
if necessary. At least with reasonably modern OpenSSL, you should
be able to enforce a minimum TLS version in OpenSSL's config
(see MinProtocol).

regards, tom lane

← Back to Topics