OpeSSL - PostgreSQL
Hi All,
I am using PostgreSQL version *9.5.7* on Red hat enterprise Linux *7.2.*
*OpenSSL version : * OpenSSL 1.0.1e-fips 11 Feb 2013.
I have a requirement to enable the SSL in my environment with specific
cipher suites,we want to restrict weak cipher suites from open SSL default
list.
We have list of cipher suites, which are authorized to use in my
environment.So the Client Applications use one of authorized cipher suites
while configuring application server.
Is it require to install different version of OpenSSL software instead of
default OpenSSL on Linux ?.
How to configure the PostgreSQL to allow specif cipher suites from
different client applications?
Thanks,
Chiru
On 11/9/2017 1:59 PM, chiru r wrote:
How to configure the PostgreSQL to allow specif cipher suites from
different client applications?
see https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
--
john r pierce, recycling bits in santa cruz
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
John R Pierce <pierce@hogranch.com> writes:
On 11/9/2017 1:59 PM, chiru r wrote:
How to configure the PostgreSQL to allow specif cipher suites from
different client applications?
Note that while you can adjust ssl_ciphers, it's a postmaster-wide
setting; there is not a provision for letting it be set per-user.
Since the SSL handshake necessarily occurs before we find out which
user is trying to connect, it'd be hard to do differently.
regards, tom lane
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 11/09/2017 01:59 PM, chiru r wrote:
I am using PostgreSQL version *9.5.7* on Red hat enterprise Linux *7.2.*
*OpenSSL version : * OpenSSL 1.0.1e-fips 11 Feb 2013.
I have a requirement to enable the SSL in my environment with specific
cipher suites,we want to restrict weak cipher suites from open SSL
default list.We have list of cipher suites, which are authorized to use in my
environment.So the Client Applications use one of authorized cipher
suites while configuring application server.Is it require to install different version of OpenSSL software instead
of default OpenSSL on Linux ?.
Note -- please don't cross post to hackers as it is off topic for that
list and cross posting is generally frowned upon (pgsql-hackers removed).
Assuming you mean that you need only FIPS 140-2 compliant ciphers, you
would want to configure the OS for system-wide FIPS compliance. See:
How to configure the PostgreSQL to allow specif cipher suites from
different client applications?
If you still need more control over what Postgres allows, see the
ssl_ciphers configuration setting here:
https://www.postgresql.org/docs/current/static/runtime-config-connection.html#GUC-SSL
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
Thanks.
If OpenSSL apply any patches at OS level, Is there any changes/maintenance
we need to perform at PostgreSQL end?
On Thu, Nov 9, 2017 at 5:46 PM, Joe Conway <mail@joeconway.com> wrote:
Show quoted text
On 11/09/2017 01:59 PM, chiru r wrote:
I am using PostgreSQL version *9.5.7* on Red hat enterprise Linux *7.2.*
*OpenSSL version : * OpenSSL 1.0.1e-fips 11 Feb 2013.
I have a requirement to enable the SSL in my environment with specific
cipher suites,we want to restrict weak cipher suites from open SSL
default list.We have list of cipher suites, which are authorized to use in my
environment.So the Client Applications use one of authorized cipher
suites while configuring application server.Is it require to install different version of OpenSSL software instead
of default OpenSSL on Linux ?.Note -- please don't cross post to hackers as it is off topic for that
list and cross posting is generally frowned upon (pgsql-hackers removed).Assuming you mean that you need only FIPS 140-2 compliant ciphers, you
would want to configure the OS for system-wide FIPS compliance. See:https://access.redhat.com/documentation/en-us/red_hat_
enterprise_linux/7/html/security_guide/chap-federal_
standards_and_regulationsHow to configure the PostgreSQL to allow specif cipher suites from
different client applications?If you still need more control over what Postgres allows, see the
ssl_ciphers configuration setting here:https://www.postgresql.org/docs/current/static/runtime-
config-connection.html#GUC-SSLHTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
On 11/09/2017 05:52 PM, chiru r wrote:
If OpenSSL apply any patches at OS level, Is there any
changes/maintenance we need to perform at PostgreSQL end?On Thu, Nov 9, 2017 at 5:46 PM, Joe Conway wrote:
Assuming you mean that you need only FIPS 140-2 compliant ciphers, you
would want to configure the OS for system-wide FIPS compliance. See:
If you enable FIPS at the OS level on a RHEL 7.x system per that link,
Postgres will automatically be using SSL in fips-mode, nothing specific
you need to (or actually, even can) do.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development