Обсуждение: Re: [GENERAL] [HACKERS] OpeSSL - PostgreSQL
On 11/09/2017 01:59 PM, chiru r wrote: > I am using PostgreSQL version *9.5.7* on Red hat enterprise Linux *7.2.* > > *OpenSSL version : * OpenSSL 1.0.1e-fips 11 Feb 2013. > > I have a requirement to enable the SSL in my environment with specific > cipher suites,we want to restrict weak cipher suites from open SSL > default list. > > We have list of cipher suites, which are authorized to use in my > environment.So the Client Applications use one of authorized cipher > suites while configuring application server. > > Is it require to install different version of OpenSSL software instead > of default OpenSSL on Linux ?. Note -- please don't cross post to hackers as it is off topic for that list and cross posting is generally frowned upon (pgsql-hackers removed). Assuming you mean that you need only FIPS 140-2 compliant ciphers, you would want to configure the OS for system-wide FIPS compliance. See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations > How to configure the PostgreSQL to allow specif cipher suites from > different client applications? If you still need more control over what Postgres allows, see the ssl_ciphers configuration setting here: https://www.postgresql.org/docs/current/static/runtime-config-connection.html#GUC-SSL HTH, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Thanks.
If OpenSSL apply any patches at OS level, Is there any changes/maintenance we need to perform at PostgreSQL end?
On Thu, Nov 9, 2017 at 5:46 PM, Joe Conway <mail@joeconway.com> wrote:
On 11/09/2017 01:59 PM, chiru r wrote:
> I am using PostgreSQL version *9.5.7* on Red hat enterprise Linux *7.2.*
>
> *OpenSSL version : * OpenSSL 1.0.1e-fips 11 Feb 2013.
>
> I have a requirement to enable the SSL in my environment with specific
> cipher suites,we want to restrict weak cipher suites from open SSL
> default list.
>
> We have list of cipher suites, which are authorized to use in my
> environment.So the Client Applications use one of authorized cipher
> suites while configuring application server.
>
> Is it require to install different version of OpenSSL software instead
> of default OpenSSL on Linux ?.
Note -- please don't cross post to hackers as it is off topic for that
list and cross posting is generally frowned upon (pgsql-hackers removed).
Assuming you mean that you need only FIPS 140-2 compliant ciphers, you
would want to configure the OS for system-wide FIPS compliance. See:
https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/ security_guide/chap-federal_ standards_and_regulations
> How to configure the PostgreSQL to allow specif cipher suites from
> different client applications?
If you still need more control over what Postgres allows, see the
ssl_ciphers configuration setting here:
https://www.postgresql.org/docs/current/static/runtime- config-connection.html#GUC-SSL
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
On 11/09/2017 05:52 PM, chiru r wrote: > If OpenSSL apply any patches at OS level, Is there any > changes/maintenance we need to perform at PostgreSQL end? > > On Thu, Nov 9, 2017 at 5:46 PM, Joe Conway wrote: >> Assuming you mean that you need only FIPS 140-2 compliant ciphers, you >> would want to configure the OS for system-wide FIPS compliance. See: >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations If you enable FIPS at the OS level on a RHEL 7.x system per that link, Postgres will automatically be using SSL in fips-mode, nothing specific you need to (or actually, even can) do. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development