View Revisions: Issue #608

Summary 0000608: pgpool ssl front end accept all ciphers. not working as expected.
Revision 2020-05-01 17:29 by t-ishii
Description First of all i want to say big thanks to pgpool crew for all their hard work!

Here is an issue. I configured pgpool to accept SSL connections on the front end. However when I am running sslyze

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 myhostname:5446 --starttls=postgres
The report shows that pgpool accepts TLS 1.0, TLS 1.1 and TLS1.2. I only need to have TLS1.2 supported others pose security risk.

If I run the same command against directly postgres i only get TLS1.2 support.

In my SSL section for pgpool i have.

# - SSL Connections -

ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
ssl_key = '/pg-data/pg_dv/data/server.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/pg-data/pg_dv/data/server.crt'
                                   # Path to the SSL public certificate file
                                   # (change requires restart)
#ssl_ca_cert = ''
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = ''
                                   # Directory containing CA root certificate(s)
                                   # (change requires restart)

ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = on
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)

For postgresql.conf I exact same ciphers
ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'

I tested this behavior with pgpool 4.1.1 and pgpool 4.0.4

I am attaching pgpool debug info when sslyze was running as well as reports from sslyze for both pgpool node and a postgres node.

Please help out with this!

Thank you!



Revision 2020-04-30 05:50 by denho
Description First of all i want to say big thanks to pgpool crew for all their hard work!

Here is an issue. I configured pgpool to accept SSL connections on the front end. However when I am running sslyze

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 myhostname:5446 --starttls=postgres
The report shows that pgpool accepts TLS 1.0, TLS 1.1 and TLS1.2. I only need to have TLS1.2 supported others pose security risk.

If I run the same command against directly postgres i only get TLS1.2 support.

In my SSL section for pgpool i have.

# - SSL Connections -

ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
ssl_key = '/pg-data/pg_dv/data/server.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/pg-data/pg_dv/data/server.crt'
                                   # Path to the SSL public certificate file
                                   # (change requires restart)
#ssl_ca_cert = ''
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = ''
                                   # Directory containing CA root certificate(s)
                                   # (change requires restart)

ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = on
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)

For postgresql.conf I exact same ciphers
ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'

I tested this behavior with pgpool 4.1.1 and pgpool 4.0.4

I am attaching pgpool debug info when sslyze was running as well as reports from sslyze for both pgpool node and a postgres node.

Please help out with this!

Thank you!