Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2WOH-001sOa-E3 for pgadmin-support@arkaria.postgresql.org; Wed, 09 Apr 2025 14:26:57 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2WOF-003P6e-LV for pgadmin-support@arkaria.postgresql.org; Wed, 09 Apr 2025 14:26:55 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2WOF-003P6B-Bf for pgadmin-support@lists.postgresql.org; Wed, 09 Apr 2025 14:26:55 +0000 Received: from mail-lj1-x229.google.com ([2a00:1450:4864:20::229]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u2WOC-004Lmh-28 for pgadmin-support@lists.postgresql.org; Wed, 09 Apr 2025 14:26:55 +0000 Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-30bd21f887aso55872021fa.1 for ; Wed, 09 Apr 2025 07:26:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744208810; x=1744813610; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Q7UtOe3RkzQSOpVApLpObd5NNk/hKEX72WwuoH8Ld+Q=; b=VhQs1JdFq6WmalLU1evpiIBRkncyOgxt4Tais0IoXZhwzZEk6oTHNh23bHPNQPaT3l rsX9Ofk8SOfsEr+8zkLwv4aF24rrRfQ5LfvhKUi9nu8elV8zDyv3V9PTw785Iux+vNH7 AQRGppc9kD5Hgsk9cbteXguwGDYf+y0lmwKOyNkwDVPIgeosKkikpvsOlOub3RS8bst/ WDhMJ8zyhPfjzEtQua8Gqh1SPUPBg8G5UPQ6Fno2WRL8/2gmuUsgKpG6BhnSTORhkzSi EOze/HmKyLdkeKNtzK31CjI0dqiB1HDiKjbYUgzsKzZcRhgniTYfC8LqxQA0yTJO0+QJ eTwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744208810; x=1744813610; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Q7UtOe3RkzQSOpVApLpObd5NNk/hKEX72WwuoH8Ld+Q=; b=eB/VNcmsNyUuSY32J7gIA/g6deiYbb8k1LtVc9YoACovt6PIC/SaZ9fjIeT7h699Qf B4Pu4z6wnQw7WoB91YVu7l+trBleprMKn13tNj2BOyQSSOsy5iOxGOx1z4+/N5OZp8tJ DeL2H4TDaVdN1h7H5di+jzISAj4cin6TcvCxWISVaB8ICPKiPeNkzWxiX1IM8BHgUZ8a nBJ/ONDnHVZFC1IUVdmNJ1hsFCS6Uw/28KFbW88TbzpQLj3GBIQs7hxMOP/tZel6PcAf QsxSqmytnU7GL5bLkQ/YKh9wgJlLgm7motXez4kyU/kFkCfd1qla6icErAu+09bkyhxn n4wA== X-Gm-Message-State: AOJu0YzExfjQmNf84VW37FGdffm9dngouX/iUTD/slAiUCK09B2z6SKr h+5DWVTMM2edd68X5jcP5AKbNGXoMmjSiNzTSlp852NyyHC4uLI0txhx/CquqdHDQkFIjdhss2x jWleg8Uz50VQ8EqricYFhLy2RpBk= X-Gm-Gg: ASbGncvkIzQN0Y46ejFvznA3lVqqDpN2zHS1upQ1iwYOQBgetzkSWd/PFh98JaBmigl 6lWjgb+ENNer+GVQPzmTjOlL9vEgOe1mVajfycFvTebqW9T8eeIvm+Ox1UYq8x6WnJriItoNXVR YQfQRxaVT1X7rmZuZhVNW5IQ== X-Google-Smtp-Source: AGHT+IFk5VYBUF+3KgIHUlBO0vLB/fNhf82/rZRlJ0A01YqN5tKmt2OSrD28q76i5OuKuIJS519lvcB3euMGNx3WniQ= X-Received: by 2002:a05:651c:b21:b0:30c:1358:6400 with SMTP id 38308e7fff4ca-30f43798409mr8177141fa.5.1744208809695; Wed, 09 Apr 2025 07:26:49 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: John Barker Date: Wed, 9 Apr 2025 10:26:38 -0400 X-Gm-Features: ATxdqUFYRthI7U3iJpdoctvrPWEnQ19rRE-r7dSnDz6p5xypJFdTI648qhVYnNk Message-ID: Subject: Re: Enforcing TLS 1.3 as a a minimum version To: Khushboo Vashi Cc: "pgadmin-support lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000084216306325942fc" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000084216306325942fc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable What is the output of `curl -v ` ? The curl connects successfully but gives no information: curl: (52) Empty reply from server. On Tue, Apr 8, 2025 at 11:38=E2=80=AFPM Khushboo Vashi < khushboo.vashi@enterprisedb.com> wrote: > [...Looping pgAdmin-Support] > > On Tue, Apr 8, 2025 at 9:19=E2=80=AFPM John Barker wrote: > >> Hello, >> >> I am on a closed network so I can't copy my files and have to retype >> them. I have verified that the file below is being parsed when the >> container starts. My config.py is default as shipped with the >> container. I was previously able to get this to work with pgAdmin 8.6 >> and TLS 1.2 (no ssl_context required) before the requirement to upgrad= e >> to pgAdmin 9.1 and TLS 1.3 (using ssl_context). >> >> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as >> my certs which are valid. There are no errors at startup in the contai= ner >> logs. >> >> Here are the total contents of gunicorn_config.py >> >> ********* BEGIN ******************** >> import gunicorn >> gunicorn.SERVER_SOFTWARE =3D 'Python' >> conf =3D '/pgadmin4/config.py' >> >> #ssl_version =3D 'TLSv1_2' -- working 8.6 setting >> #ciphers =3D 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 >> setting >> >> def ssl_context(conf, default_ssl_context_factory): >> import ssl >> context =3D default_ssl_context_factory() >> context.minimum_version =3D ssl.TLSVersion.TLSv1_3 >> return context >> >> ******* EOF ************** >> >> This code looks fine. > >> I test TLS version using openssl like this: >> >> # openssl s_client -showcerts -tls1_2 -connect hostname:port >> >> What is the output of `curl -v ` ? > >> The above command gets a valid response with a TLS 1.2 handshake using = a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work. >> >> Thanks, John >> >> On Tue, Apr 8, 2025 at 7:10=E2=80=AFAM Khushboo Vashi < >> khushboo.vashi@enterprisedb.com> wrote: >> >>> Hi, >>> >>> On Tue, Apr 8, 2025 at 12:00=E2=80=AFAM John Barker >>> wrote: >>> >>>> >>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure >>>> that TLS 1.3 is the minimum version. I have created an override fil= e and >>>> I know that it is being read at startup but the enforcement of TLS 1.3= is >>>> not happening. I am using this configuration as suggested by the >>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html >>>> >>>> Any idea of what to check. I know the file is being parsed because if >>>> I introduce a bad config, it is noted at startup. >>>> >>>> Also, where or how is the instance variable for the config defined? >>>> >>>> "The callable needs to accept an instance variable for the Config" >>>> >>> >>> Can you please share your gunicorn_config.py file? >>> The code looks good to me, and you said that you mapped the correct >>> Gunicorn config file from the container. >>> Also, what testing have you done to check whether the TLS version is >>> enforced or not? >>> >>>> >>>> The below is a file mapped into the container called gunicorn_config.p= y >>>> >>>> def ssl_context(conf, default_ssl_context_factory): >>>> import ssl >>>> context =3D default_ssl_context_factory() >>>> context.minimum_version =3D ssl.TLSVersion.TLSv1_3 >>>> return context >>>> >>>> --00000000000084216306325942fc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
What is the output of=C2=A0 `curl=C2=A0 -v <pgad= min_url>`=C2=A0 =C2=A0?=C2=A0

The curl connect= s successfully but gives no information:

curl: (52= ) Empty reply from server.

On Tue, Apr 8, 2025 a= t 11:38=E2=80=AFPM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:
[...Looping pgAdmin-Support]

On Tue, Apr 8, 2025 at 9:19=E2=80=AFPM John= Barker <john= obarker@gmail.com> wrote:
Hello,

I am on a closed network so I can't copy my files and have to retype = them.=C2=A0 =C2=A0 I have verified=C2=A0 that the file below is being parse= d when the container starts.=C2=A0 =C2=A0 My config.py is default as shippe= d with the container.=C2=A0 =C2=A0 I was previously able to get this to wor= k with pgAdmin 8.6 and TLS 1.2=C2=A0 (no ssl_context required)=C2=A0 before= the requirement to upgrade to pgAdmin 9.1 and TLS 1.3 (using ssl_context).=

I include PGADMIN_ENABLE_TLS: true in my podman c= ompose file as well as my certs which are valid.=C2=A0 =C2=A0There are no e= rrors at startup=C2=A0in the container logs.

Here = are the total contents of gunicorn_config.py

*****= ****=C2=A0 =C2=A0BEGIN ********************
=C2=A0 =C2=A0import g= unicorn
=C2=A0 =C2=A0gunicorn.SERVER_SOFTWARE =3D 'Python'= ;
=C2=A0 =C2=A0conf =3D '/pgadmin4/config.py'
<= br>
=C2=A0 =C2=A0#ssl_version =3D 'TLSv1_2'=C2=A0 =C2=A0 = =C2=A0-- working 8.6 setting
=C2=A0 =C2=A0#ciphers =3D 'ECDHE-RSA-AES256-GCM-SHA383:!aNull'=C2=A0 -- work= ing 8.6 setting
def ssl_context(conf, default_ssl_context_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
*******  EOF  **************
This code looks fine.=C2=A0
I test TLS version using openssl like this:
# openssl s_client -showcerts -tls1_2 -connect hostname:port<= /div>
What is the output of=C2=A0 =C2=A0`curl=C2=A0 -v <pgadmin_url>`=C2=A0 =C2=A0?
The above command gets a valid response with a  TLS 1.2 handshake us=
ing a cipher of ECDHE-RSA-AES256-GCM-SHA383.   I would expect this not to w=
ork.
Thanks, John
On Tue, Apr 8, 2025 at 7:10=E2=80=AFAM Khushboo Vashi <khushboo.vashi@ente= rprisedb.com> wrote:
Hi,

On Tue, Apr 8, 2025 at 12:= 00=E2=80=AFAM John Barker <johnobarker@gmail.com> wrote:

I am running pgAdmin 9.1 in a= podman container and am trying to ensure that TLS 1.3 is the minimum versi= on.=C2=A0 =C2=A0 I have created an override=C2=A0file and I know that it is= being read at startup but the enforcement of TLS 1.3 is not happening.=C2= =A0 =C2=A0I am using this configuration as suggested by the documentation h= ere:=C2=A0=C2=A0https://docs.gunicorn.org/en/21.2.0/settings.html<= /div>

Any idea of what to check.=C2=A0 = I know the file is being parsed because if I introduce a bad config, it is = noted at startup.

Also, where or how is the instan= ce variable for the config defined?

"= ;The callable needs to accept an instance variable for the Config"

Can you please = share your=C2=A0 gunicorn_config.py file?
The code looks good to me, and= you said that you mapped the correct Gunicorn config file from the contain= er.
Also, what testing have you done to check whether the TLS ver= sion is enforced or not?

The below is a file mapped into the container called gunico= rn_config.py
def=
 ssl_context(conf, default_ssl_context_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
--00000000000084216306325942fc--