Re: Enforcing TLS 1.3 as a a minimum version

[...Looping pgAdmin-Support]

On Tue, Apr 8, 2025 at 9:19 PM John Barker <johnobarker(at)gmail(dot)com> wrote:

> Hello,
>
> I am on a closed network so I can't copy my files and have to retype
> them. I have verified that the file below is being parsed when the
> container starts. My config.py is default as shipped with the
> container. I was previously able to get this to work with pgAdmin 8.6
> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>
> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as my
> certs which are valid. There are no errors at startup in the container
> logs.
>
> Here are the total contents of gunicorn_config.py
>
> ********* BEGIN ********************
> import gunicorn
> gunicorn.SERVER_SOFTWARE = 'Python'
> conf = '/pgadmin4/config.py'
>
> #ssl_version = 'TLSv1_2' -- working 8.6 setting
> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 setting
>
> def ssl_context(conf, default_ssl_context_factory):
> import ssl
> context = default_ssl_context_factory()
> context.minimum_version = ssl.TLSVersion.TLSv1_3
> return context
>
> ******* EOF **************
>
> This code looks fine.

> I test TLS version using openssl like this:
>
> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>
> What is the output of `curl -v <pgadmin_url>` ?

> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>
> Thanks, John
>
> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>
>> Hi,
>>
>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <johnobarker(at)gmail(dot)com>
>> wrote:
>>
>>>
>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>> that TLS 1.3 is the minimum version. I have created an override file and
>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>> not happening. I am using this configuration as suggested by the
>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>
>>> Any idea of what to check. I know the file is being parsed because if I
>>> introduce a bad config, it is noted at startup.
>>>
>>> Also, where or how is the instance variable for the config defined?
>>>
>>> "The callable needs to accept an instance variable for the Config"
>>>
>>
>> Can you please share your gunicorn_config.py file?
>> The code looks good to me, and you said that you mapped the correct
>> Gunicorn config file from the container.
>> Also, what testing have you done to check whether the TLS version is
>> enforced or not?
>>
>>>
>>> The below is a file mapped into the container called gunicorn_config.py
>>>
>>> def ssl_context(conf, default_ssl_context_factory):
>>> import ssl
>>> context = default_ssl_context_factory()
>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>> return context
>>>
>>>