Quick Links

SSL Connection still showing TLSv1.3 even it is disabled in ssl_ciphers

From:	tushar <tushar(dot)ahuja(at)enterprisedb(dot)com>
To:	PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject:	SSL Connection still showing TLSv1.3 even it is disabled in ssl_ciphers
Date:	2019-08-05 07:29:29
Message-ID:	58f22537-0c67-88a4-f94c-5cf0e78bf0a7@enterprisedb.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Hi ,

While testing SSL version 1.1.1c , I only enabled TLSv1.2 and rest
including TLSv1.3 has been disabled , like this -

postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3

To cofirm the same, there is a tool called - sslyze ( SSLyze is a
Python library and a CLI tool that can analyze the SSL configuration of
a server by connecting to it)
(https://github.com/nabla-c0d3/sslyze) which i configured on my machine .

Run this command -

[root(at)localhost Downloads]# python -m sslyze --sslv2 --sslv3 --tlsv1
--tlsv1_1 --tlsv1_2 --tlsv1_3 localhost:5432 --starttls=postgres
--hide_rejected_ciphers

AVAILABLE PLUGINS
-----------------

CompressionPlugin
HttpHeadersPlugin
OpenSslCcsInjectionPlugin
OpenSslCipherSuitesPlugin
SessionResumptionPlugin
FallbackScsvPlugin
CertificateInfoPlugin
RobotPlugin
HeartbleedPlugin
SessionRenegotiationPlugin

CHECKING HOST(S) AVAILABILITY
-----------------------------

localhost:5432 => 127.0.0.1

SCAN RESULTS FOR LOCALHOST:5432 - 127.0.0.1
-------------------------------------------

* SSLV2 Cipher Suites:
Server rejected all cipher suites.

** TLSV1_3 Cipher Suites:**
** Server rejected all cipher suites.**
*
* SSLV3 Cipher Suites:
Server rejected all cipher suites.

* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.

* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported

     Preferred:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256
bits 256 bits
     Accepted:
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               DH-2048
bits   256 bits
        RSA_WITH_AES_256_CCM_8 -              256 bits
        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -              256
bits
        TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -              256 bits
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 -              256 bits
        RSA_WITH_AES_256_CCM -              256 bits
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 -              256 bits
        ARIA256-GCM-SHA384 -              256 bits
        TLS_RSA_WITH_AES_256_CBC_SHA256 -              256 bits
        TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 -              256 bits
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             ECDH-256
bits 256 bits
        DHE_RSA_WITH_AES_256_CCM_8 -              256 bits
        ECDHE-ARIA256-GCM-SHA384 -              256 bits
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256
bits 256 bits
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               DH-2048
bits   256 bits
        TLS_RSA_WITH_AES_256_GCM_SHA384 -              256 bits
        TLS_DHE_RSA_WITH_AES_256_CCM -              256 bits
        DHE-RSA-ARIA256-GCM-SHA384 -              256 bits
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 -              128 bits
        RSA_WITH_AES_128_CCM_8 -              128 bits
        RSA_WITH_AES_128_CCM -              128 bits
        DHE_RSA_WITH_AES_128_CCM -              128 bits
        DHE_RSA_WITH_AES_128_CCM_8 -              128 bits
        ARIA128-GCM-SHA256 -              128 bits
        TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 -              128 bits
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               DH-2048
bits   128 bits
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256
bits 128 bits
        TLS_RSA_WITH_AES_128_CBC_SHA256 -              128 bits
        ECDHE-ARIA128-GCM-SHA256 -              128 bits
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               DH-2048
bits   128 bits
        TLS_RSA_WITH_AES_128_GCM_SHA256 -              128 bits
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 -              128 bits
        DHE-RSA-ARIA128-GCM-SHA256 -              128 bits
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             ECDH-256
bits 128 bits

* TLSV1 Cipher Suites:
Server rejected all cipher suites.

SCAN COMPLETED IN 0.84 S
------------------------

These are the ones which got rejected for TLSV1_3

* TLSV1_3 Cipher Suites:
     Rejected:
        TLS_CHACHA20_POLY1305_SHA256                TLS / Alert:
protocol version
*TLS_AES_256_GCM_SHA384*                        TLS / Alert: protocol
version
        TLS_AES_128_GCM_SHA256                            TLS / Alert:
protocol version
        TLS_AES_128_CCM_SHA256                            TLS / Alert:
protocol version
        TLS_AES_128_CCM_8_SHA256                         TLS / Alert:
protocol version

when i connect to psql terminal -

psql.bin (10.9)
SSL connection (protocol: TLSv1.3, cipher: *TLS_AES_256_GCM_SHA384*,
bits: 256, compression: off)
Type "help" for help.

postgres=# show ssl_ciphers ;
ssl_ciphers
----------------------------------------------
TLSv1.2:!aNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.3
(1 row)

postgres=#

Cipher which has been rejected -should not display in the message.

Is this expected ?

--
regards,tushar
EnterpriseDB https://www.enterprisedb.com/
The Enterprise PostgreSQL Company

Responses

Re: SSL Connection still showing TLSv1.3 even it is disabled in ssl_ciphers at 2019-08-05 14:11:12 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Paquier	2019-08-05 07:30:52	Re: More issues with pg_verify_checksums and checksum verification in base backups
Previous Message	Kyotaro Horiguchi	2019-08-05 07:28:24	Re: Feature improvement: can we add queryId for pg_catalog.pg_stat_activity view?