Обсуждение: SSL Connection still showing TLSv1.3 even it is disabled inssl_ciphers
Hi ,
While testing SSL version 1.1.1c , I only enabled TLSv1.2 and rest including TLSv1.3 has been disabled , like this -
postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
To cofirm the same, there is a tool called - sslyze ( SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it)
(https://github.com/nabla-c0d3/sslyze) which i configured on my machine .
Run this command -
[root@localhost Downloads]# python -m sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 --tlsv1_3 localhost:5432 --starttls=postgres --hide_rejected_ciphers
AVAILABLE PLUGINS
-----------------
CompressionPlugin
HttpHeadersPlugin
OpenSslCcsInjectionPlugin
OpenSslCipherSuitesPlugin
SessionResumptionPlugin
FallbackScsvPlugin
CertificateInfoPlugin
RobotPlugin
HeartbleedPlugin
SessionRenegotiationPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
localhost:5432 => 127.0.0.1
SCAN RESULTS FOR LOCALHOST:5432 - 127.0.0.1
-------------------------------------------
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
Accepted:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256 bits
RSA_WITH_AES_256_CCM_8 - 256 bits
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - 256 bits
RSA_WITH_AES_256_CCM - 256 bits
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - 256 bits
ARIA256-GCM-SHA384 - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits
DHE_RSA_WITH_AES_256_CCM_8 - 256 bits
ECDHE-ARIA256-GCM-SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
TLS_DHE_RSA_WITH_AES_256_CCM - 256 bits
DHE-RSA-ARIA256-GCM-SHA384 - 256 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
RSA_WITH_AES_128_CCM_8 - 128 bits
RSA_WITH_AES_128_CCM - 128 bits
DHE_RSA_WITH_AES_128_CCM - 128 bits
DHE_RSA_WITH_AES_128_CCM_8 - 128 bits
ARIA128-GCM-SHA256 - 128 bits
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048 bits 128 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits
ECDHE-ARIA128-GCM-SHA256 - 128 bits
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - 128 bits
DHE-RSA-ARIA128-GCM-SHA256 - 128 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
SCAN COMPLETED IN 0.84 S
------------------------
These are the ones which got rejected for TLSV1_3
* TLSV1_3 Cipher Suites:
Rejected:
TLS_CHACHA20_POLY1305_SHA256 TLS / Alert: protocol version
TLS_AES_256_GCM_SHA384 TLS / Alert: protocol version
TLS_AES_128_GCM_SHA256 TLS / Alert: protocol version
TLS_AES_128_CCM_SHA256 TLS / Alert: protocol version
TLS_AES_128_CCM_8_SHA256 TLS / Alert: protocol version
when i connect to psql terminal -
psql.bin (10.9)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
(1 row)
postgres=#
Cipher which has been rejected -should not display in the message.
Is this expected ?
-- regards,tushar EnterpriseDB https://www.enterprisedb.com/ The Enterprise PostgreSQL Company
tushar <tushar.ahuja@enterprisedb.com> writes:
> when i connect to psql terminal -
> psql.bin (10.9)
> SSL connection (protocol: TLSv1.3, cipher: *TLS_AES_256_GCM_SHA384*,
> bits: 256, compression: off)
> Type "help" for help.
> postgres=# show ssl_ciphers ;
> ssl_ciphers
> ----------------------------------------------
> TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
> (1 row)
My guess is that OpenSSL ignored your ssl_ciphers setting on the
grounds that it's stupid to reject all possible ciphers.
In any case, this would be something to raise with them not us.
PG does nothing with that value except pass it to SSL_CTX_set_cipher_list.
regards, tom lane