From: | Jan Bilek <jan(dot)bilek(at)eftlab(dot)co(dot)uk> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Cc: | Chris Dawes <chris(dot)dawes(at)eftlab(dot)co(dot)uk> |
Subject: | Postgres and TLSv1.2 |
Date: | 2015-05-21 11:32:18 |
Message-ID: | 555DC242.4010006@eftlab.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
G'Day guys,
after exploiting all the other sources, I've reached the point where I
need to use this final option to get some help.
We are trying to setup Postgres with TLSv1.2 (undergoing PA:DSS audit),
but getting a bit stuck there with Postgres reporting “could not accept
SSL connection: no shared cipher”. This is obviously an internal OpenSSL
message, but worrying part is that we've had this setup running with the
other encryptions and the same certificates without any problems.
We've been trying to follow documentation from here:
http://www.postgresql.org/docs/9.3/static/ssl-tcp.html.
making changes in /etc/postgresql/9.3/main/postgresql.conf:
<before>
ssl = true
#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'
#ssl_renegotiation_limit = 512MB
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ca_file = ''
#ssl_crl_file = ''
#password_encryption = on
#db_user_namespace = off
</before>
<after>
ssl = true
ssl_ciphers = 'TLSv1.2:!aNULL'
#ssl_renegotiation_limit = 512MB
ssl_cert_file = '/var/lib/postgresql/9.3/main/server.crt'
ssl_key_file = '/var/lib/postgresql/9.3/main/server.key'
ssl_ca_file = '/var/lib/postgresql/9.3/main/root.crt'
#ssl_crl_file = ''
#password_encryption = on
#db_user_namespace = off
</after>
logon string:
postgresql://bp-node(at)172(dot)27(dot)72(dot)45/bp-node?sslmode=require
latest OpenSSL available.
$ openssl ciphers -v 'TLSv1.2:!aNULL' returns all cyphers
Once again - Certificates should be fine as this seem to work for any
other encryptions.
Can I have your advice please?
Kind Regards,
Jan
Jan Bilek
CTO, EFTlab Pty Ltd
email:jan(dot)bilek(at)eftlab(dot)co(dot)uk
mob: +61 (0) 498 103 179
Note: When we've been doing the SSL/TLS implementation for our product,
we've encountered same problem when SSL context was initialised after
the SSL socket, so socket creation was done "on empty CTX". But that was
for all encryptions.
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2015-05-21 11:41:37 | Re: Re: [COMMITTERS] pgsql: Add support for INSERT ... ON CONFLICT DO NOTHING/UPDATE. |
Previous Message | Volker Aßmann | 2015-05-21 09:43:51 | Re: Disabling trust/ident authentication configure option |