public inbox for [email protected]
help / color / mirror / Atom feedFrom: Khushboo Vashi <[email protected]>
To: John Barker <[email protected]>
Cc: pgadmin-support lists.postgresql.org <[email protected]>
Subject: Re: Enforcing TLS 1.3 as a a minimum version
Date: Wed, 9 Apr 2025 09:08:16 +0530
Message-ID: <CAFOhELcXgrRQE37+W+e3xabqjoYe-AzH5ewuELRErLXbA75LRg@mail.gmail.com> (raw)
In-Reply-To: <CA+7KU8oww0yJ2uFVyfBaYPFEBw=qCLcJmZ3OCY_mqNwzSVbZsg@mail.gmail.com>
References: <CA+7KU8pPEXm-EbY0nk3CwiMkM962AMapwghwSAu0QmThnkZoNQ@mail.gmail.com>
<CA+7KU8qGkLzzAFJHuJfCe=jZuOG2ZHAWQvgv+oW+5m5ZBNAsOA@mail.gmail.com>
<CAFOhELeMYYFz8vpBpd7DKtjW10THuv22WZ6NiYUZTZZ634MaQw@mail.gmail.com>
<CA+7KU8oww0yJ2uFVyfBaYPFEBw=qCLcJmZ3OCY_mqNwzSVbZsg@mail.gmail.com>
[...Looping pgAdmin-Support]
On Tue, Apr 8, 2025 at 9:19 PM John Barker <[email protected]> wrote:
> Hello,
>
> I am on a closed network so I can't copy my files and have to retype
> them. I have verified that the file below is being parsed when the
> container starts. My config.py is default as shipped with the
> container. I was previously able to get this to work with pgAdmin 8.6
> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>
> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as my
> certs which are valid. There are no errors at startup in the container
> logs.
>
> Here are the total contents of gunicorn_config.py
>
> ********* BEGIN ********************
> import gunicorn
> gunicorn.SERVER_SOFTWARE = 'Python'
> conf = '/pgadmin4/config.py'
>
> #ssl_version = 'TLSv1_2' -- working 8.6 setting
> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 setting
>
> def ssl_context(conf, default_ssl_context_factory):
> import ssl
> context = default_ssl_context_factory()
> context.minimum_version = ssl.TLSVersion.TLSv1_3
> return context
>
> ******* EOF **************
>
> This code looks fine.
> I test TLS version using openssl like this:
>
> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>
> What is the output of `curl -v <pgadmin_url>` ?
> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>
> Thanks, John
>
> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
> [email protected]> wrote:
>
>> Hi,
>>
>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]>
>> wrote:
>>
>>>
>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>> that TLS 1.3 is the minimum version. I have created an override file and
>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>> not happening. I am using this configuration as suggested by the
>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>
>>> Any idea of what to check. I know the file is being parsed because if I
>>> introduce a bad config, it is noted at startup.
>>>
>>> Also, where or how is the instance variable for the config defined?
>>>
>>> "The callable needs to accept an instance variable for the Config"
>>>
>>
>> Can you please share your gunicorn_config.py file?
>> The code looks good to me, and you said that you mapped the correct
>> Gunicorn config file from the container.
>> Also, what testing have you done to check whether the TLS version is
>> enforced or not?
>>
>>>
>>> The below is a file mapped into the container called gunicorn_config.py
>>>
>>> def ssl_context(conf, default_ssl_context_factory):
>>> import ssl
>>> context = default_ssl_context_factory()
>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>> return context
>>>
>>>
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Enforcing TLS 1.3 as a a minimum version
In-Reply-To: <CAFOhELcXgrRQE37+W+e3xabqjoYe-AzH5ewuELRErLXbA75LRg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox