public inbox for [email protected]
help / color / mirror / Atom feedFwd: Enforcing TLS 1.3 as a a minimum version
6+ messages / 2 participants
[nested] [flat]
* Fwd: Enforcing TLS 1.3 as a a minimum version
@ 2025-04-07 18:29 John Barker <[email protected]>
2025-04-08 11:10 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: John Barker @ 2025-04-07 18:29 UTC (permalink / raw)
To: [email protected]
I am running pgAdmin 9.1 in a podman container and am trying to ensure that
TLS 1.3 is the minimum version. I have created an override file and I
know that it is being read at startup but the enforcement of TLS 1.3 is not
happening. I am using this configuration as suggested by the
documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
Any idea of what to check. I know the file is being parsed because if I
introduce a bad config, it is noted at startup.
Also, where or how is the instance variable for the config defined?
"The callable needs to accept an instance variable for the Config"
The below is a file mapped into the container called gunicorn_config.py
def ssl_context(conf, default_ssl_context_factory):
import ssl
context = default_ssl_context_factory()
context.minimum_version = ssl.TLSVersion.TLSv1_3
return context
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Enforcing TLS 1.3 as a a minimum version
2025-04-07 18:29 Fwd: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
@ 2025-04-08 11:10 ` Khushboo Vashi <[email protected]>
2025-04-09 03:38 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: Khushboo Vashi @ 2025-04-08 11:10 UTC (permalink / raw)
To: John Barker <[email protected]>; +Cc: [email protected]
Hi,
On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]> wrote:
>
> I am running pgAdmin 9.1 in a podman container and am trying to ensure
> that TLS 1.3 is the minimum version. I have created an override file and
> I know that it is being read at startup but the enforcement of TLS 1.3 is
> not happening. I am using this configuration as suggested by the
> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>
> Any idea of what to check. I know the file is being parsed because if I
> introduce a bad config, it is noted at startup.
>
> Also, where or how is the instance variable for the config defined?
>
> "The callable needs to accept an instance variable for the Config"
>
Can you please share your gunicorn_config.py file?
The code looks good to me, and you said that you mapped the correct
Gunicorn config file from the container.
Also, what testing have you done to check whether the TLS version is
enforced or not?
>
> The below is a file mapped into the container called gunicorn_config.py
>
> def ssl_context(conf, default_ssl_context_factory):
> import ssl
> context = default_ssl_context_factory()
> context.minimum_version = ssl.TLSVersion.TLSv1_3
> return context
>
>
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Enforcing TLS 1.3 as a a minimum version
2025-04-07 18:29 Fwd: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
2025-04-08 11:10 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
@ 2025-04-09 03:38 ` Khushboo Vashi <[email protected]>
2025-04-09 14:26 ` Re: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: Khushboo Vashi @ 2025-04-09 03:38 UTC (permalink / raw)
To: John Barker <[email protected]>; +Cc: pgadmin-support lists.postgresql.org <[email protected]>
[...Looping pgAdmin-Support]
On Tue, Apr 8, 2025 at 9:19 PM John Barker <[email protected]> wrote:
> Hello,
>
> I am on a closed network so I can't copy my files and have to retype
> them. I have verified that the file below is being parsed when the
> container starts. My config.py is default as shipped with the
> container. I was previously able to get this to work with pgAdmin 8.6
> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>
> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as my
> certs which are valid. There are no errors at startup in the container
> logs.
>
> Here are the total contents of gunicorn_config.py
>
> ********* BEGIN ********************
> import gunicorn
> gunicorn.SERVER_SOFTWARE = 'Python'
> conf = '/pgadmin4/config.py'
>
> #ssl_version = 'TLSv1_2' -- working 8.6 setting
> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 setting
>
> def ssl_context(conf, default_ssl_context_factory):
> import ssl
> context = default_ssl_context_factory()
> context.minimum_version = ssl.TLSVersion.TLSv1_3
> return context
>
> ******* EOF **************
>
> This code looks fine.
> I test TLS version using openssl like this:
>
> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>
> What is the output of `curl -v <pgadmin_url>` ?
> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>
> Thanks, John
>
> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
> [email protected]> wrote:
>
>> Hi,
>>
>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]>
>> wrote:
>>
>>>
>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>> that TLS 1.3 is the minimum version. I have created an override file and
>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>> not happening. I am using this configuration as suggested by the
>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>
>>> Any idea of what to check. I know the file is being parsed because if I
>>> introduce a bad config, it is noted at startup.
>>>
>>> Also, where or how is the instance variable for the config defined?
>>>
>>> "The callable needs to accept an instance variable for the Config"
>>>
>>
>> Can you please share your gunicorn_config.py file?
>> The code looks good to me, and you said that you mapped the correct
>> Gunicorn config file from the container.
>> Also, what testing have you done to check whether the TLS version is
>> enforced or not?
>>
>>>
>>> The below is a file mapped into the container called gunicorn_config.py
>>>
>>> def ssl_context(conf, default_ssl_context_factory):
>>> import ssl
>>> context = default_ssl_context_factory()
>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>> return context
>>>
>>>
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Enforcing TLS 1.3 as a a minimum version
2025-04-07 18:29 Fwd: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
2025-04-08 11:10 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
2025-04-09 03:38 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
@ 2025-04-09 14:26 ` John Barker <[email protected]>
2025-04-11 16:26 ` Re: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
2025-04-16 10:11 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
0 siblings, 2 replies; 6+ messages in thread
From: John Barker @ 2025-04-09 14:26 UTC (permalink / raw)
To: Khushboo Vashi <[email protected]>; +Cc: pgadmin-support lists.postgresql.org <[email protected]>
What is the output of `curl -v <pgadmin_url>` ?
The curl connects successfully but gives no information:
curl: (52) Empty reply from server.
On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi <
[email protected]> wrote:
> [...Looping pgAdmin-Support]
>
> On Tue, Apr 8, 2025 at 9:19 PM John Barker <[email protected]> wrote:
>
>> Hello,
>>
>> I am on a closed network so I can't copy my files and have to retype
>> them. I have verified that the file below is being parsed when the
>> container starts. My config.py is default as shipped with the
>> container. I was previously able to get this to work with pgAdmin 8.6
>> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>>
>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as
>> my certs which are valid. There are no errors at startup in the container
>> logs.
>>
>> Here are the total contents of gunicorn_config.py
>>
>> ********* BEGIN ********************
>> import gunicorn
>> gunicorn.SERVER_SOFTWARE = 'Python'
>> conf = '/pgadmin4/config.py'
>>
>> #ssl_version = 'TLSv1_2' -- working 8.6 setting
>> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6
>> setting
>>
>> def ssl_context(conf, default_ssl_context_factory):
>> import ssl
>> context = default_ssl_context_factory()
>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>> return context
>>
>> ******* EOF **************
>>
>> This code looks fine.
>
>> I test TLS version using openssl like this:
>>
>> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>>
>> What is the output of `curl -v <pgadmin_url>` ?
>
>> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>>
>> Thanks, John
>>
>> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
>> [email protected]> wrote:
>>
>>> Hi,
>>>
>>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]>
>>> wrote:
>>>
>>>>
>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>>> that TLS 1.3 is the minimum version. I have created an override file and
>>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>>> not happening. I am using this configuration as suggested by the
>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>>
>>>> Any idea of what to check. I know the file is being parsed because if
>>>> I introduce a bad config, it is noted at startup.
>>>>
>>>> Also, where or how is the instance variable for the config defined?
>>>>
>>>> "The callable needs to accept an instance variable for the Config"
>>>>
>>>
>>> Can you please share your gunicorn_config.py file?
>>> The code looks good to me, and you said that you mapped the correct
>>> Gunicorn config file from the container.
>>> Also, what testing have you done to check whether the TLS version is
>>> enforced or not?
>>>
>>>>
>>>> The below is a file mapped into the container called gunicorn_config.py
>>>>
>>>> def ssl_context(conf, default_ssl_context_factory):
>>>> import ssl
>>>> context = default_ssl_context_factory()
>>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>>> return context
>>>>
>>>>
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Enforcing TLS 1.3 as a a minimum version
2025-04-07 18:29 Fwd: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
2025-04-08 11:10 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
2025-04-09 03:38 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
2025-04-09 14:26 ` Re: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
@ 2025-04-11 16:26 ` John Barker <[email protected]>
1 sibling, 0 replies; 6+ messages in thread
From: John Barker @ 2025-04-11 16:26 UTC (permalink / raw)
To: Khushboo Vashi <[email protected]>; +Cc: pgadmin-support lists.postgresql.org <[email protected]>
Just wanted to bounce this up.
Thanks,
John
On Wed, Apr 9, 2025 at 10:26 AM John Barker <[email protected]> wrote:
> What is the output of `curl -v <pgadmin_url>` ?
>
> The curl connects successfully but gives no information:
>
> curl: (52) Empty reply from server.
>
> On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi <
> [email protected]> wrote:
>
>> [...Looping pgAdmin-Support]
>>
>> On Tue, Apr 8, 2025 at 9:19 PM John Barker <[email protected]> wrote:
>>
>>> Hello,
>>>
>>> I am on a closed network so I can't copy my files and have to retype
>>> them. I have verified that the file below is being parsed when the
>>> container starts. My config.py is default as shipped with the
>>> container. I was previously able to get this to work with pgAdmin 8.6
>>> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
>>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>>>
>>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as
>>> my certs which are valid. There are no errors at startup in the container
>>> logs.
>>>
>>> Here are the total contents of gunicorn_config.py
>>>
>>> ********* BEGIN ********************
>>> import gunicorn
>>> gunicorn.SERVER_SOFTWARE = 'Python'
>>> conf = '/pgadmin4/config.py'
>>>
>>> #ssl_version = 'TLSv1_2' -- working 8.6 setting
>>> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6
>>> setting
>>>
>>> def ssl_context(conf, default_ssl_context_factory):
>>> import ssl
>>> context = default_ssl_context_factory()
>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>> return context
>>>
>>> ******* EOF **************
>>>
>>> This code looks fine.
>>
>>> I test TLS version using openssl like this:
>>>
>>> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>>>
>>> What is the output of `curl -v <pgadmin_url>` ?
>>
>>> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>>>
>>> Thanks, John
>>>
>>> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
>>> [email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]>
>>>> wrote:
>>>>
>>>>>
>>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>>>> that TLS 1.3 is the minimum version. I have created an override file and
>>>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>>>> not happening. I am using this configuration as suggested by the
>>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>>>
>>>>> Any idea of what to check. I know the file is being parsed because if
>>>>> I introduce a bad config, it is noted at startup.
>>>>>
>>>>> Also, where or how is the instance variable for the config defined?
>>>>>
>>>>> "The callable needs to accept an instance variable for the Config"
>>>>>
>>>>
>>>> Can you please share your gunicorn_config.py file?
>>>> The code looks good to me, and you said that you mapped the correct
>>>> Gunicorn config file from the container.
>>>> Also, what testing have you done to check whether the TLS version is
>>>> enforced or not?
>>>>
>>>>>
>>>>> The below is a file mapped into the container called gunicorn_config.py
>>>>>
>>>>> def ssl_context(conf, default_ssl_context_factory):
>>>>> import ssl
>>>>> context = default_ssl_context_factory()
>>>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>>>> return context
>>>>>
>>>>>
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Enforcing TLS 1.3 as a a minimum version
2025-04-07 18:29 Fwd: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
2025-04-08 11:10 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
2025-04-09 03:38 ` Re: Enforcing TLS 1.3 as a a minimum version Khushboo Vashi <[email protected]>
2025-04-09 14:26 ` Re: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
@ 2025-04-16 10:11 ` Khushboo Vashi <[email protected]>
1 sibling, 0 replies; 6+ messages in thread
From: Khushboo Vashi @ 2025-04-16 10:11 UTC (permalink / raw)
To: John Barker <[email protected]>; +Cc: pgadmin-support lists.postgresql.org <[email protected]>
On Wed, Apr 9, 2025 at 7:56 PM John Barker <[email protected]> wrote:
> What is the output of `curl -v <pgadmin_url>` ?
>
It generally gives output like the one below so we can verify the TLS
version.
khushboo.vashi@MAC-HLG7090G2F web % curl -v https://google.com
* Trying 142.250.193.46:443...
* Connected to google.com (142.250.193.46) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /usr/local/Netskope_CA_Bundle/nscacert_combined.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
** SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256*
* ALPN: server accepted h2
> The curl connects successfully but gives no information:
>
> curl: (52) Empty reply from server.
>
> On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi <
> [email protected]> wrote:
>
>> [...Looping pgAdmin-Support]
>>
>> On Tue, Apr 8, 2025 at 9:19 PM John Barker <[email protected]> wrote:
>>
>>> Hello,
>>>
>>> I am on a closed network so I can't copy my files and have to retype
>>> them. I have verified that the file below is being parsed when the
>>> container starts. My config.py is default as shipped with the
>>> container. I was previously able to get this to work with pgAdmin 8.6
>>> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
>>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>>>
>>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as
>>> my certs which are valid. There are no errors at startup in the container
>>> logs.
>>>
>>> Here are the total contents of gunicorn_config.py
>>>
>>> ********* BEGIN ********************
>>> import gunicorn
>>> gunicorn.SERVER_SOFTWARE = 'Python'
>>> conf = '/pgadmin4/config.py'
>>>
>>> #ssl_version = 'TLSv1_2' -- working 8.6 setting
>>> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6
>>> setting
>>>
>>> def ssl_context(conf, default_ssl_context_factory):
>>> import ssl
>>> context = default_ssl_context_factory()
>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>> return context
>>>
>>> ******* EOF **************
>>>
>>> This code looks fine.
>>
>>> I test TLS version using openssl like this:
>>>
>>> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>>>
>>> What is the output of `curl -v <pgadmin_url>` ?
>>
>>> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>>>
>>> Thanks, John
>>>
>>> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
>>> [email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]>
>>>> wrote:
>>>>
>>>>>
>>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>>>> that TLS 1.3 is the minimum version. I have created an override file and
>>>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>>>> not happening. I am using this configuration as suggested by the
>>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>>>
>>>>> Any idea of what to check. I know the file is being parsed because if
>>>>> I introduce a bad config, it is noted at startup.
>>>>>
>>>>> Also, where or how is the instance variable for the config defined?
>>>>>
>>>>> "The callable needs to accept an instance variable for the Config"
>>>>>
>>>>
>>>> Can you please share your gunicorn_config.py file?
>>>> The code looks good to me, and you said that you mapped the correct
>>>> Gunicorn config file from the container.
>>>> Also, what testing have you done to check whether the TLS version is
>>>> enforced or not?
>>>>
>>>>>
>>>>> The below is a file mapped into the container called gunicorn_config.py
>>>>>
>>>>> def ssl_context(conf, default_ssl_context_factory):
>>>>> import ssl
>>>>> context = default_ssl_context_factory()
>>>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>>>> return context
>>>>>
>>>>>
^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~2025-04-16 10:11 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-04-07 18:29 Fwd: Enforcing TLS 1.3 as a a minimum version John Barker <[email protected]>
2025-04-08 11:10 ` Khushboo Vashi <[email protected]>
2025-04-09 03:38 ` Khushboo Vashi <[email protected]>
2025-04-09 14:26 ` John Barker <[email protected]>
2025-04-11 16:26 ` John Barker <[email protected]>
2025-04-16 10:11 ` Khushboo Vashi <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox