| From: | pramod kg <pramod11287(at)gmail(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL SSL params |
| Date: | 2021-06-14 08:47:41 |
| Message-ID: | CAHkcXnxF_nRWjDxdhE4g+_Z_wEdv5izXd5o4aWMQJ3PEg=+AhA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Try to get a list of specific ciphers that they object to. Then you can
use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.
Okay. Will do thanks.
On Mon, Jun 14, 2021 at 1:23 PM Peter Eisentraut <
peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
> On 13.06.21 16:20, pramod kg wrote:
> > I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH".
> > Still, the security team complains that weak ciphers are accepted at
> > server side (They have run some security tests).
>
> Try to get a list of specific ciphers that they object to. Then you can
> use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.
>
> > Security team
> > suggesting to use ssl_dh_params_file.
> >
> > As per my understanding, DH is a key exchange protocol (read in some
> > forum). DH is used to securely generate a common key between two
> > parties, other algorithms are used for encryption itself. So I
> > believe that dhparam does not help in resolving weak cipher issues. Need
> > some insight on this.
>
> I think you are correct on this.
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Don Seiler | 2021-06-14 14:16:39 | Re: Estimating HugePages Requirements? |
| Previous Message | Peter Eisentraut | 2021-06-14 07:53:08 | Re: PostgreSQL SSL params |