Thread: TLS 1.0
Hi Team,
Our client is using Version : PostgreSQL 9.6.17 , they have done vulnerability assessment and found that :
Our client is using Version : PostgreSQL 9.6.17 , they have done vulnerability assessment and found that :
- TLS version 1.0 Protocol detection
- The remote service encrypt traffic with older version of TLS
We suggested the below changes in PostgresSQL.conf
ssl_ciphers = 'HIGH:!aNULL' OR ssl_ciphers = 'HIGH:TLSv1.2:!aNULL'
ssl_ciphers = 'HIGH:!aNULL' OR ssl_ciphers = 'HIGH:TLSv1.2:!aNULL'
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'prime256v1'
ssl_ecdh_curve = 'prime256v1'
But the scan report is still the same. Can you please guide with the configuration in the present Postgres version to remediate it.
Thanks
Thanks
Ehtesham Pradhan <ehtesham.pradhan@lookout.com> writes:
> Our client is using Version : PostgreSQL 9.6.17 , they have done vulnerability
> assessment and found that :
> - TLS version 1.0 Protocol detection
> - The remote service encrypt traffic with older version of TLS
This is mostly a matter of whether the OpenSSL libraries being used on
both ends are up-to-date. If you were using PG 12 or later you could
set the server parameter ssl_min_protocol_version to enforce whatever
policy you want about minimum TLS version. But in 9.6.x it's going
to be strictly a matter of what OpenSSL wants to do. Check the
system-wide OpenSSL configuration on each end, and update OpenSSL
if necessary. At least with reasonably modern OpenSSL, you should
be able to enforce a minimum TLS version in OpenSSL's config
(see MinProtocol).
regards, tom lane
From a security audit point of view, also consider the fact that 9.6 is end-of-life in 3 months.
-Steve
On Fri, Aug 6, 2021 at 9:46 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Ehtesham Pradhan <ehtesham.pradhan@lookout.com> writes:
> Our client is using Version : PostgreSQL 9.6.17 , they have done vulnerability
> assessment and found that :
> - TLS version 1.0 Protocol detection
> - The remote service encrypt traffic with older version of TLS
This is mostly a matter of whether the OpenSSL libraries being used on
both ends are up-to-date. If you were using PG 12 or later you could
set the server parameter ssl_min_protocol_version to enforce whatever
policy you want about minimum TLS version. But in 9.6.x it's going
to be strictly a matter of what OpenSSL wants to do. Check the
system-wide OpenSSL configuration on each end, and update OpenSSL
if necessary. At least with reasonably modern OpenSSL, you should
be able to enforce a minimum TLS version in OpenSSL's config
(see MinProtocol).
regards, tom lane