Just wanted to bounce this up. Thanks,
John On Wed, Apr 9, 2025 at 10:26 AM John Barker <johnobar...@gmail.com> wrote: > What is the output of `curl -v <pgadmin_url>` ? > > The curl connects successfully but gives no information: > > curl: (52) Empty reply from server. > > On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi < > khushboo.va...@enterprisedb.com> wrote: > >> [...Looping pgAdmin-Support] >> >> On Tue, Apr 8, 2025 at 9:19 PM John Barker <johnobar...@gmail.com> wrote: >> >>> Hello, >>> >>> I am on a closed network so I can't copy my files and have to retype >>> them. I have verified that the file below is being parsed when the >>> container starts. My config.py is default as shipped with the >>> container. I was previously able to get this to work with pgAdmin 8.6 >>> and TLS 1.2 (no ssl_context required) before the requirement to upgrade >>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context). >>> >>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as >>> my certs which are valid. There are no errors at startup in the container >>> logs. >>> >>> Here are the total contents of gunicorn_config.py >>> >>> ********* BEGIN ******************** >>> import gunicorn >>> gunicorn.SERVER_SOFTWARE = 'Python' >>> conf = '/pgadmin4/config.py' >>> >>> #ssl_version = 'TLSv1_2' -- working 8.6 setting >>> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 >>> setting >>> >>> def ssl_context(conf, default_ssl_context_factory): >>> import ssl >>> context = default_ssl_context_factory() >>> context.minimum_version = ssl.TLSVersion.TLSv1_3 >>> return context >>> >>> ******* EOF ************** >>> >>> This code looks fine. >> >>> I test TLS version using openssl like this: >>> >>> # openssl s_client -showcerts -tls1_2 -connect hostname:port >>> >>> What is the output of `curl -v <pgadmin_url>` ? >> >>> The above command gets a valid response with a TLS 1.2 handshake using a >>> cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work. >>> >>> Thanks, John >>> >>> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi < >>> khushboo.va...@enterprisedb.com> wrote: >>> >>>> Hi, >>>> >>>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <johnobar...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure >>>>> that TLS 1.3 is the minimum version. I have created an override file >>>>> and >>>>> I know that it is being read at startup but the enforcement of TLS 1.3 is >>>>> not happening. I am using this configuration as suggested by the >>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html >>>>> >>>>> Any idea of what to check. I know the file is being parsed because if >>>>> I introduce a bad config, it is noted at startup. >>>>> >>>>> Also, where or how is the instance variable for the config defined? >>>>> >>>>> "The callable needs to accept an instance variable for the Config" >>>>> >>>> >>>> Can you please share your gunicorn_config.py file? >>>> The code looks good to me, and you said that you mapped the correct >>>> Gunicorn config file from the container. >>>> Also, what testing have you done to check whether the TLS version is >>>> enforced or not? >>>> >>>>> >>>>> The below is a file mapped into the container called gunicorn_config.py >>>>> >>>>> def ssl_context(conf, default_ssl_context_factory): >>>>> import ssl >>>>> context = default_ssl_context_factory() >>>>> context.minimum_version = ssl.TLSVersion.TLSv1_3 >>>>> return context >>>>> >>>>>
