Hi,
I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH". Still, the security team complains that weak ciphers are accepted at server side (They have run some security tests). Security team suggesting to use ssl_dh_params_file.
As per my understanding, DH is a key exchange protocol (read in some forum). DH is used to securely generate a common key between two parties, other algorithms are used for encryption itself. So I believe that dhparam does not help in resolving weak cipher issues. Need some insight on this.
Also, Are there any changes required at client side to connect to the database if ssl_dh_params_file is set at server side?
how to make sure that PG accepts only high ciphers? Please suggest.
Note: I have installed PG version 13.1 on a few servers and 13.3 on a few servers.
Regards,
Pramod