[...Looping pgAdmin-Support] On Tue, Apr 8, 2025 at 9:19 PM John Barker <johnobar...@gmail.com> wrote:
> Hello, > > I am on a closed network so I can't copy my files and have to retype > them. I have verified that the file below is being parsed when the > container starts. My config.py is default as shipped with the > container. I was previously able to get this to work with pgAdmin 8.6 > and TLS 1.2 (no ssl_context required) before the requirement to upgrade > to pgAdmin 9.1 and TLS 1.3 (using ssl_context). > > I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as my > certs which are valid. There are no errors at startup in the container > logs. > > Here are the total contents of gunicorn_config.py > > ********* BEGIN ******************** > import gunicorn > gunicorn.SERVER_SOFTWARE = 'Python' > conf = '/pgadmin4/config.py' > > #ssl_version = 'TLSv1_2' -- working 8.6 setting > #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 setting > > def ssl_context(conf, default_ssl_context_factory): > import ssl > context = default_ssl_context_factory() > context.minimum_version = ssl.TLSVersion.TLSv1_3 > return context > > ******* EOF ************** > > This code looks fine. > I test TLS version using openssl like this: > > # openssl s_client -showcerts -tls1_2 -connect hostname:port > > What is the output of `curl -v <pgadmin_url>` ? > The above command gets a valid response with a TLS 1.2 handshake using a > cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work. > > Thanks, John > > On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi < > khushboo.va...@enterprisedb.com> wrote: > >> Hi, >> >> On Tue, Apr 8, 2025 at 12:00 AM John Barker <johnobar...@gmail.com> >> wrote: >> >>> >>> I am running pgAdmin 9.1 in a podman container and am trying to ensure >>> that TLS 1.3 is the minimum version. I have created an override file and >>> I know that it is being read at startup but the enforcement of TLS 1.3 is >>> not happening. I am using this configuration as suggested by the >>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html >>> >>> Any idea of what to check. I know the file is being parsed because if I >>> introduce a bad config, it is noted at startup. >>> >>> Also, where or how is the instance variable for the config defined? >>> >>> "The callable needs to accept an instance variable for the Config" >>> >> >> Can you please share your gunicorn_config.py file? >> The code looks good to me, and you said that you mapped the correct >> Gunicorn config file from the container. >> Also, what testing have you done to check whether the TLS version is >> enforced or not? >> >>> >>> The below is a file mapped into the container called gunicorn_config.py >>> >>> def ssl_context(conf, default_ssl_context_factory): >>> import ssl >>> context = default_ssl_context_factory() >>> context.minimum_version = ssl.TLSVersion.TLSv1_3 >>> return context >>> >>>
