Hi ,
While testing SSL version 1.1.1c , I only enabled TLSv1.2 and rest
including TLSv1.3 has been disabled , like this -
postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
To cofirm the same, there is a tool called - sslyze ( SSLyze is a
Python library and a CLI tool that can analyze the SSL configuration of
a server by connecting to it)
(https://github.com/nabla-c0d3/sslyze) which i configured on my machine .
Run this command -
[root@localhost Downloads]# python -m sslyze --sslv2 --sslv3 --tlsv1
--tlsv1_1 --tlsv1_2 --tlsv1_3 localhost:5432 --starttls=postgres
--hide_rejected_ciphers
AVAILABLE PLUGINS
-----------------
CompressionPlugin
HttpHeadersPlugin
OpenSslCcsInjectionPlugin
OpenSslCipherSuitesPlugin
SessionResumptionPlugin
FallbackScsvPlugin
CertificateInfoPlugin
RobotPlugin
HeartbleedPlugin
SessionRenegotiationPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
localhost:5432 => 127.0.0.1
SCAN RESULTS FOR LOCALHOST:5432 - 127.0.0.1
-------------------------------------------
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
** TLSV1_3 Cipher Suites:**
** Server rejected all cipher suites.**
*
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256
bits 256 bits
Accepted:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048
bits 256 bits
RSA_WITH_AES_256_CCM_8 - 256 bits
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256
bits
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - 256 bits
RSA_WITH_AES_256_CCM - 256 bits
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - 256 bits
ARIA256-GCM-SHA384 - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256
bits 256 bits
DHE_RSA_WITH_AES_256_CCM_8 - 256 bits
ECDHE-ARIA256-GCM-SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256
bits 256 bits
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048
bits 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
TLS_DHE_RSA_WITH_AES_256_CCM - 256 bits
DHE-RSA-ARIA256-GCM-SHA384 - 256 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
RSA_WITH_AES_128_CCM_8 - 128 bits
RSA_WITH_AES_128_CCM - 128 bits
DHE_RSA_WITH_AES_128_CCM - 128 bits
DHE_RSA_WITH_AES_128_CCM_8 - 128 bits
ARIA128-GCM-SHA256 - 128 bits
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048
bits 128 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256
bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits
ECDHE-ARIA128-GCM-SHA256 - 128 bits
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048
bits 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
DHE-RSA-ARIA128-GCM-SHA256 - 128 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256
bits 128 bits
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
SCAN COMPLETED IN 0.84 S
------------------------
These are the ones which got rejected for TLSV1_3
* TLSV1_3 Cipher Suites:
Rejected:
TLS_CHACHA20_POLY1305_SHA256 TLS / Alert:
protocol version
*TLS_AES_256_GCM_SHA384* TLS / Alert: protocol
version
TLS_AES_128_GCM_SHA256 TLS / Alert:
protocol version
TLS_AES_128_CCM_SHA256 TLS / Alert:
protocol version
TLS_AES_128_CCM_8_SHA256 TLS / Alert:
protocol version
when i connect to psql terminal -
psql.bin (10.9)
SSL connection (protocol: TLSv1.3, cipher: *TLS_AES_256_GCM_SHA384*,
bits: 256, compression: off)
Type "help" for help.
postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
(1 row)
postgres=#
Cipher which has been rejected -should not display in the message.
Is this expected ?
--
regards,tushar
EnterpriseDB https://www.enterprisedb.com/
The Enterprise PostgreSQL Company
