Participants
Joe Conway
Joe Conway
Graham Leggett
Graham Leggett
Michael Paquier
Michael Paquier
Attachments
Thread Outline
#1Graham LeggettGraham Leggett
Nov 09, 2017
#2Joe ConwayJoe Conwayto Graham Leggett (#1)
Nov 09, 2017
#3Michael PaquierMichael Paquierto Joe Conway (#2)
Nov 09, 2017
#4Joe ConwayJoe Conwayto Michael Paquier (#3)
Nov 09, 2017

libpq connection strings: control over the cipher suites?

Started by Graham Leggettabout 8 years ago4 messages
#1Graham Leggett
Graham Leggett
minfrin@sharp.fm
1 attachment(s)

Hi all,

According to the docs at https://www.postgresql.org/docs/9.5/static/libpq-connect.html#LIBPQ-CONNSTRING there are various parameters that control ssl from the client side, including providing the ssl certs, keys, etc.

Is there a parameter or mechanism for setting the required ssl cipher list from the client side?

Regards,
Graham

Attachments:

smime.p7sapplication/pkcs7-signature; name=smime.p7sDownload
#2Joe Conway
Joe Conway
mail@joeconway.com
In reply to: Graham Leggett (#1)
Re: libpq connection strings: control over the cipher suites?

On 11/09/2017 03:27 AM, Graham Leggett wrote:

Is there a parameter or mechanism for setting the required ssl cipher list from the client side?

I don't believe so. That is controlled by ssl_ciphers, which requires a
restart in order to change.

https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS

select name,setting,context from pg_settings where name like '%ssl%';
name | setting | context
---------------------------+--------------------------+------------
ssl | off | postmaster
ssl_ca_file | | postmaster
ssl_cert_file | server.crt | postmaster
ssl_ciphers | HIGH:MEDIUM:+3DES:!aNULL | postmaster
ssl_crl_file | | postmaster
ssl_ecdh_curve | prime256v1 | postmaster
ssl_key_file | server.key | postmaster
ssl_prefer_server_ciphers | on | postmaster
(8 rows)

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

#3Michael Paquier
Michael Paquier
michael.paquier@gmail.com
In reply to: Joe Conway (#2)
Re: libpq connection strings: control over the cipher suites?

On Fri, Nov 10, 2017 at 2:53 AM, Joe Conway <mail@joeconway.com> wrote:

On 11/09/2017 03:27 AM, Graham Leggett wrote:

Is there a parameter or mechanism for setting the required ssl cipher list from the client side?

I don't believe so. That is controlled by ssl_ciphers, which requires a
restart in order to change.

https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS

Since commit de41869 present in v10, SSL parameters can be reloaded.
On libpq there is only an API to have a look at what are the ciphers
set by the server via PQsslAttribute().
--
Michael

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

#4Joe Conway
Joe Conway
mail@joeconway.com
In reply to: Michael Paquier (#3)
Re: libpq connection strings: control over the cipher suites?

On 11/09/2017 03:17 PM, Michael Paquier wrote:

On Fri, Nov 10, 2017 at 2:53 AM, Joe Conway <mail@joeconway.com> wrote:

On 11/09/2017 03:27 AM, Graham Leggett wrote:

Is there a parameter or mechanism for setting the required ssl cipher list from the client side?

I don't believe so. That is controlled by ssl_ciphers, which requires a
restart in order to change.

https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-SSL-CIPHERS

Since commit de41869 present in v10, SSL parameters can be reloaded.

Oh, cool, I must have missed that -- thanks!

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

← Back to Topics