Re: Enforcing TLS 1.3 as a a minimum version

On Wed, Apr 9, 2025 at 7:56 PM John Barker <johnobarker(at)gmail(dot)com> wrote:

> What is the output of `curl -v <pgadmin_url>` ?
>

It generally gives output like the one below so we can verify the TLS
version.

khushboo(dot)vashi(at)MAC-HLG7090G2F web % curl -v https://google.com

* Trying 142.250.193.46:443...

* Connected to google.com (142.250.193.46) port 443 (#0)

* ALPN: offers h2,http/1.1

* (304) (OUT), TLS handshake, Client hello (1):

* CAfile: /usr/local/Netskope_CA_Bundle/nscacert_combined.pem

* CApath: none

* (304) (IN), TLS handshake, Server hello (2):

* (304) (IN), TLS handshake, Unknown (8):

* (304) (IN), TLS handshake, Certificate (11):

* (304) (IN), TLS handshake, CERT verify (15):

* (304) (IN), TLS handshake, Finished (20):

* (304) (OUT), TLS handshake, Finished (20):

** SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256*
* ALPN: server accepted h2

> The curl connects successfully but gives no information:
>
> curl: (52) Empty reply from server.
>
> On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi <
> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>
>> [...Looping pgAdmin-Support]
>>
>> On Tue, Apr 8, 2025 at 9:19 PM John Barker <johnobarker(at)gmail(dot)com> wrote:
>>
>>> Hello,
>>>
>>> I am on a closed network so I can't copy my files and have to retype
>>> them. I have verified that the file below is being parsed when the
>>> container starts. My config.py is default as shipped with the
>>> container. I was previously able to get this to work with pgAdmin 8.6
>>> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
>>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>>>
>>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as
>>> my certs which are valid. There are no errors at startup in the container
>>> logs.
>>>
>>> Here are the total contents of gunicorn_config.py
>>>
>>> ********* BEGIN ********************
>>> import gunicorn
>>> gunicorn.SERVER_SOFTWARE = 'Python'
>>> conf = '/pgadmin4/config.py'
>>>
>>> #ssl_version = 'TLSv1_2' -- working 8.6 setting
>>> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6
>>> setting
>>>
>>> def ssl_context(conf, default_ssl_context_factory):
>>> import ssl
>>> context = default_ssl_context_factory()
>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>> return context
>>>
>>> ******* EOF **************
>>>
>>> This code looks fine.
>>
>>> I test TLS version using openssl like this:
>>>
>>> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>>>
>>> What is the output of `curl -v <pgadmin_url>` ?
>>
>>> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>>>
>>> Thanks, John
>>>
>>> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>
>>>> Hi,
>>>>
>>>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <johnobarker(at)gmail(dot)com>
>>>> wrote:
>>>>
>>>>>
>>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>>>> that TLS 1.3 is the minimum version. I have created an override file and
>>>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>>>> not happening. I am using this configuration as suggested by the
>>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>>>
>>>>> Any idea of what to check. I know the file is being parsed because if
>>>>> I introduce a bad config, it is noted at startup.
>>>>>
>>>>> Also, where or how is the instance variable for the config defined?
>>>>>
>>>>> "The callable needs to accept an instance variable for the Config"
>>>>>
>>>>
>>>> Can you please share your gunicorn_config.py file?
>>>> The code looks good to me, and you said that you mapped the correct
>>>> Gunicorn config file from the container.
>>>> Also, what testing have you done to check whether the TLS version is
>>>> enforced or not?
>>>>
>>>>>
>>>>> The below is a file mapped into the container called gunicorn_config.py
>>>>>
>>>>> def ssl_context(conf, default_ssl_context_factory):
>>>>> import ssl
>>>>> context = default_ssl_context_factory()
>>>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>>>> return context
>>>>>
>>>>>