View Revisions: Issue #608

Summary 0000608: pgpool ssl front end accept all ciphers. not working as expected.
Revision 2020-05-01 17:29 by t-ishii
Steps To Reproduce Enable SSL in pgpool and run sslyze.

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 myhostname:5446 --starttls=postgres


ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
ssl_key = '/pg-data/pg_dv/data/server.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/pg-data/pg_dv/data/server.crt'
                                   # Path to the SSL public certificate file
                                   # (change requires restart)
#ssl_ca_cert = ''
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = ''
                                   # Directory containing CA root certificate(s)
                                   # (change requires restart)

ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = on
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)
Revision 2020-04-30 05:50 by denho
Steps To Reproduce Enable SSL in pgpool and run sslyze.

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 myhostname:5446 --starttls=postgres


ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
ssl_key = '/pg-data/pg_dv/data/server.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/pg-data/pg_dv/data/server.crt'
                                   # Path to the SSL public certificate file
                                   # (change requires restart)
#ssl_ca_cert = ''
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = ''
                                   # Directory containing CA root certificate(s)
                                   # (change requires restart)

ssl_ciphers = 'TLSv1.2+HIGH:!eNULL:!aEECDH+HIGH+RSA:!ADH'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = on
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)