Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u3HDS-00DJ4t-GA for pgadmin-support@arkaria.postgresql.org; Fri, 11 Apr 2025 16:26:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u3HDQ-00Btu3-R2 for pgadmin-support@arkaria.postgresql.org; Fri, 11 Apr 2025 16:26:53 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u3HDQ-00Btsn-BA for pgadmin-support@lists.postgresql.org; Fri, 11 Apr 2025 16:26:52 +0000 Received: from mail-lj1-x234.google.com ([2a00:1450:4864:20::234]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u3HDO-004GeM-2F for pgadmin-support@lists.postgresql.org; Fri, 11 Apr 2025 16:26:51 +0000 Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-30db2c2c609so22652081fa.3 for ; Fri, 11 Apr 2025 09:26:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744388808; x=1744993608; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YfGeAL/l2brPSyY3Ehuk259a9WnhgGWuH8uxpS5LASM=; b=RvQwdtdHqUkxusEYk+czv+C/IuqmTAQ3XyT5qONuIgm9XaR/Yp7lc0Pnk20Hy2dLCt 3A1RVtBQfqr3rBOq+owtf/x8c6Zi3tfoCtte7f3MUQkTFmtUmba5bH+YjWHs5LnDL8gU fYwHl6sh24ZFphVDo4XCzItUfg5V6cl2+klj2YELYeUNomhSt0u+xIUEXsU3XFqWuQk3 WeoQCfQBJdHjIGrmim/6zTgKz/h+5chWQpSzaDRqszIJpshbrI8SZzlsHjVr2QjNOreN vGdYdzHW+ed5tuoltSvTeDbtQNtYjkCXmrTKPrij/59if/K72MG2O+VMKzkzyXngJeRH 9crw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744388808; x=1744993608; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YfGeAL/l2brPSyY3Ehuk259a9WnhgGWuH8uxpS5LASM=; b=ioa5lsi80BmkFj0x5w7t4ZLpo04Vsj2P5jYpGG84uXVSaf8M2OS9OeQMhiTfAOGZAU 6q568xzn25my5HbkjQADKwcYGcHpY+p2EE4CKrFrXxMzz4owhaLdIyqRbIA3YX7vNF79 Xr9H3U/HogGJ/Ws29b6mHkCm7lvh4kBeaCTZDz5JeAQAhZKq4vqNHaX8Tp3e8svWhbK9 gQct5rlz+KGRM9VbA2dViIIjyYsGBZ3wyZFLPxWGvS0YZIglYZgLUWxzqMYFHJpoV09T UBp536l1lOoVRhjo81hFv+hUHf+zDcFV1DmZ7eKRpNff/UADc41PUzsaIrhfljy8d496 7J9Q== X-Gm-Message-State: AOJu0YyHngRuTn+LkfotsOVsVYdMImpeQIkkuOluwLO0hiTEaoPfsqd2 HuVoUjgI6SR2Za4HE5cHrrzg7hDAjRG42MSQn3MH9qWmAHiM+Pcur/74fSu9Gsb1rthOPWjyO15 fBo6d00623hav5r37HGszT0bo8n+Fe2op X-Gm-Gg: ASbGncu1g6x42reNMnmkqlsEh+juwXnjggUT/OjSy5ScNqb0A4E9lc0M4rrCbq2Bdyx LYRBQRXpaH4++h0v22YRs4DeCGzlJnddR1Ux4DeBGJlwueXVkE2tx8huyHLG+priimuXyrwI3hb MTmZhicJRy60f8YTW8C+UNBQ== X-Google-Smtp-Source: AGHT+IGpvcY/CfOxz7zGo7hMA6U5E4yNYpdpUg4FIqJHVXiVOiJZvBsbpHGjCQsE04JQPR7OPaCxp/YinxqVU57/HRY= X-Received: by 2002:a05:651c:1591:b0:2ff:d0c4:5ffe with SMTP id 38308e7fff4ca-310499fafadmr13378551fa.16.1744388807563; Fri, 11 Apr 2025 09:26:47 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: John Barker Date: Fri, 11 Apr 2025 12:26:35 -0400 X-Gm-Features: ATxdqUEHDTOvSrhVd6dBBxcZUQDLcVSXVqY53U2VdCSzqf0V_IDbXFFA-dzzFm0 Message-ID: Subject: Re: Enforcing TLS 1.3 as a a minimum version To: Khushboo Vashi Cc: "pgadmin-support lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000039a0ca0632832bed" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000039a0ca0632832bed Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Just wanted to bounce this up. Thanks, John On Wed, Apr 9, 2025 at 10:26=E2=80=AFAM John Barker = wrote: > What is the output of `curl -v ` ? > > The curl connects successfully but gives no information: > > curl: (52) Empty reply from server. > > On Tue, Apr 8, 2025 at 11:38=E2=80=AFPM Khushboo Vashi < > khushboo.vashi@enterprisedb.com> wrote: > >> [...Looping pgAdmin-Support] >> >> On Tue, Apr 8, 2025 at 9:19=E2=80=AFPM John Barker wrote: >> >>> Hello, >>> >>> I am on a closed network so I can't copy my files and have to retype >>> them. I have verified that the file below is being parsed when the >>> container starts. My config.py is default as shipped with the >>> container. I was previously able to get this to work with pgAdmin 8.= 6 >>> and TLS 1.2 (no ssl_context required) before the requirement to upgra= de >>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context). >>> >>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as >>> my certs which are valid. There are no errors at startup in the conta= iner >>> logs. >>> >>> Here are the total contents of gunicorn_config.py >>> >>> ********* BEGIN ******************** >>> import gunicorn >>> gunicorn.SERVER_SOFTWARE =3D 'Python' >>> conf =3D '/pgadmin4/config.py' >>> >>> #ssl_version =3D 'TLSv1_2' -- working 8.6 setting >>> #ciphers =3D 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 >>> setting >>> >>> def ssl_context(conf, default_ssl_context_factory): >>> import ssl >>> context =3D default_ssl_context_factory() >>> context.minimum_version =3D ssl.TLSVersion.TLSv1_3 >>> return context >>> >>> ******* EOF ************** >>> >>> This code looks fine. >> >>> I test TLS version using openssl like this: >>> >>> # openssl s_client -showcerts -tls1_2 -connect hostname:port >>> >>> What is the output of `curl -v ` ? >> >>> The above command gets a valid response with a TLS 1.2 handshake using= a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work= . >>> >>> Thanks, John >>> >>> On Tue, Apr 8, 2025 at 7:10=E2=80=AFAM Khushboo Vashi < >>> khushboo.vashi@enterprisedb.com> wrote: >>> >>>> Hi, >>>> >>>> On Tue, Apr 8, 2025 at 12:00=E2=80=AFAM John Barker >>>> wrote: >>>> >>>>> >>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensur= e >>>>> that TLS 1.3 is the minimum version. I have created an override fi= le and >>>>> I know that it is being read at startup but the enforcement of TLS 1.= 3 is >>>>> not happening. I am using this configuration as suggested by the >>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.htm= l >>>>> >>>>> Any idea of what to check. I know the file is being parsed because i= f >>>>> I introduce a bad config, it is noted at startup. >>>>> >>>>> Also, where or how is the instance variable for the config defined? >>>>> >>>>> "The callable needs to accept an instance variable for the Config" >>>>> >>>> >>>> Can you please share your gunicorn_config.py file? >>>> The code looks good to me, and you said that you mapped the correct >>>> Gunicorn config file from the container. >>>> Also, what testing have you done to check whether the TLS version is >>>> enforced or not? >>>> >>>>> >>>>> The below is a file mapped into the container called gunicorn_config.= py >>>>> >>>>> def ssl_context(conf, default_ssl_context_factory): >>>>> import ssl >>>>> context =3D default_ssl_context_factory() >>>>> context.minimum_version =3D ssl.TLSVersion.TLSv1_3 >>>>> return context >>>>> >>>>> --00000000000039a0ca0632832bed Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Just wanted to bounce this up.

Thanks,<= /div>

John

On Wed, Apr 9, 202= 5 at 10:26=E2=80=AFAM John Barker <johnobarker@gmail.com> wrote:
What is the output of=C2=A0 `curl=C2=A0 -v <pgadmin_url>`=C2=A0 =C2=A0?=C2=A0

The curl connects successfully but gives no information:

curl: (52) Empty reply from server.

On Tue, Apr 8, 202= 5 at 11:38=E2=80=AFPM Khushboo Vashi <khushboo.vashi@enterprisedb.com> = wrote:
[...Looping pgAdmin-Support]

On Tue, Apr 8, 2025 = at 9:19=E2=80=AFPM John Barker <johnobarker@gmail.com> wrote:
H= ello,

I am on a closed network so I can't copy my fi= les and have to retype them.=C2=A0 =C2=A0 I have verified=C2=A0 that the fi= le below is being parsed when the container starts.=C2=A0 =C2=A0 My config.= py is default as shipped with the container.=C2=A0 =C2=A0 I was previously = able to get this to work with pgAdmin 8.6 and TLS 1.2=C2=A0 (no ssl_context= required)=C2=A0 before the requirement to upgrade to pgAdmin 9.1 and TLS 1= .3 (using ssl_context).

I include PGADMIN_ENABLE_T= LS: true in my podman compose file as well as my certs which are valid.=C2= =A0 =C2=A0There are no errors at startup=C2=A0in the container logs.
<= div>
Here are the total contents of gunicorn_config.py
<= div>
*********=C2=A0 =C2=A0BEGIN ********************
=C2=A0 =C2=A0import gunicorn
=C2=A0 =C2=A0gunicorn.SERVER_SOFT= WARE =3D 'Python'
=C2=A0 =C2=A0conf =3D '/pgadmin4/co= nfig.py'

=C2=A0 =C2=A0#ssl_version =3D 'TL= Sv1_2'=C2=A0 =C2=A0 =C2=A0-- working 8.6 setting
=C2=A0 =C2= =A0#ciphers =3D 'ECDHE-RSA-AES256-GCM-SHA383:!aNull= '=C2=A0 -- working 8.6 setting
def ssl_context(conf, default_ssl_co=
ntext_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
*******  EOF  **************
This code looks fine.=C2=A0
I test TLS version using openssl like this:
# openssl s_client -showcerts -tls1_2 -connect hostname:port<= /div>
What is the output of=C2=A0 =C2=A0`curl=C2=A0 -v <pgadmin_url>`=C2=A0 =C2=A0?
The above command gets a valid response with a  TLS 1.2 handshake us=
ing a cipher of ECDHE-RSA-AES256-GCM-SHA383.   I would expect this not to w=
ork.
Thanks, John
On Tue, Apr 8, 2025 at 7:10=E2=80=AFAM Khushboo Vashi <khushboo.vashi@ente= rprisedb.com> wrote:
Hi,

On Tue, Apr 8, 2025 at 12:= 00=E2=80=AFAM John Barker <johnobarker@gmail.com> wrote:

I am running pgAdmin 9.1 in a= podman container and am trying to ensure that TLS 1.3 is the minimum versi= on.=C2=A0 =C2=A0 I have created an override=C2=A0file and I know that it is= being read at startup but the enforcement of TLS 1.3 is not happening.=C2= =A0 =C2=A0I am using this configuration as suggested by the documentation h= ere:=C2=A0=C2=A0https://docs.gunicorn.org/en/21.2.0/settings.html<= /div>

Any idea of what to check.=C2=A0 = I know the file is being parsed because if I introduce a bad config, it is = noted at startup.

Also, where or how is the instan= ce variable for the config defined?

"= ;The callable needs to accept an instance variable for the Config"

Can you please = share your=C2=A0 gunicorn_config.py file?
The code looks good to me, and= you said that you mapped the correct Gunicorn config file from the contain= er.
Also, what testing have you done to check whether the TLS ver= sion is enforced or not?

The below is a file mapped into the container called gunico= rn_config.py
def=
 ssl_context(conf, default_ssl_context_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
--00000000000039a0ca0632832bed--