Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2MGs-00Gu82-Na for pgadmin-support@arkaria.postgresql.org; Wed, 09 Apr 2025 03:38:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2MGp-0001n8-0e for pgadmin-support@arkaria.postgresql.org; Wed, 09 Apr 2025 03:38:35 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2MGo-0001mn-C2 for pgadmin-support@lists.postgresql.org; Wed, 09 Apr 2025 03:38:34 +0000 Received: from mail-yw1-x1133.google.com ([2607:f8b0:4864:20::1133]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u2MGi-003nhx-2R for pgadmin-support@lists.postgresql.org; Wed, 09 Apr 2025 03:38:30 +0000 Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-6fead015247so57227557b3.2 for ; Tue, 08 Apr 2025 20:38:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1744169908; x=1744774708; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nNlFno1Xcjl1ui1JdSY1ClgYiDKSqepmNldorACebwE=; b=lszCS12m+r0D61QLSHso/IxjSYnlXT9nLIGiVMR0/cOgXUUCPGOcxyllRTaYg1lKE2 tio2ZTbCcfHTNigscIvSUfKRgxo9R34kZoKf9M1vPb3JgvM8RDkmnWJ4nvnQJ1boTHFi 9heHrcT5C1PhJ6SHjfYe5+aFNTSb+1vTHTaI8WUgkH9dzH27Db4taSSW9ifVkivI83jn frvgWUJvFLJHo7NdlKuCR0D5pLJB8ZeQyv23qITRPVVRGNGpS/yH1831rQn3qCwFeb6v zli9oPJIGnr/kQM4Q9sFYEP7yYWdXPmLHzQBMhpfJG0s4WOIXnsNRDvSyV0eeo0XagUR efxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744169908; x=1744774708; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nNlFno1Xcjl1ui1JdSY1ClgYiDKSqepmNldorACebwE=; b=FxBrLBB/lb9I6jqUXpdkanJjgjWaQGtiL4N4fWOi5AB+x8taf2FtOJh5Ux/vhTgRHX WJ/7wDGJC/T92EuOjxLjfVTqJKK5RciFtwiYPLi7y0OfeMMm/4WgFHHbouzh/XR37q5M vJsSepFwUAZxd8E/7Sapc3ge2CpthzRhPsTS0Tquex2CYzyP/TJXSAQxubccngt5S8P/ O2todI5kA7LykVUGjIDK+rrSZtSOdIwMnoiBZavIAgen+hHGUYAn5XXR2TKNgI5hu4eT HwXLg9wuD3gy4+fT0xCAn9ub1P6bAU1JutI76hELZ119CzPCqBWWK3Ax+sVEL8+cfDoS 7lcA== X-Gm-Message-State: AOJu0YwwjITtubreFTSl5cJ2sCgKZi1GAl94ylYB9Cw2hf2nBpc4BebJ bGUxzFz6sVTtrYubMtGGtBdemFACJagnhsWoiYmM9k0Eujjg49kBjV6Zi/z+MQt27Dh8kYd8ZNI tR5Wy3AZwJGpg5dCRENnPVNpniMiY66GyBqzr X-Gm-Gg: ASbGnct5TSU6ikTV6AI7CksSfRJUKZ3d5Jc1OqWm4WX8A+kv1uyNiMhiTRTkOgchqvD saiGNcsnhduXXP8VlGmZsJ6PRQ4XqERkxkXokoleYLA/X7MGt5nM+sjQM4fAuuOYUDD3UyofAfb q3KHobuP2Yg4App/PIeyn4TVcYXLQ= X-Google-Smtp-Source: AGHT+IGLag8VYy00GHyKdaVV4lWym1ASZ26l5CPLBdVL/nWztV2lpdfHC/PYMgdj0DVR1QBYdmjBO2/cpgCPF9wCaRs= X-Received: by 2002:a05:690c:4d82:b0:6f9:a75f:f220 with SMTP id 00721157ae682-7053ae7113fmr16499617b3.25.1744169907766; Tue, 08 Apr 2025 20:38:27 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Khushboo Vashi Date: Wed, 9 Apr 2025 09:08:16 +0530 X-Gm-Features: ATxdqUEak3j1phWpAjvAj-iH1NdFuk8ieM2asPZJwjI8vVOKYIW7b2xGPouZnRw Message-ID: Subject: Re: Enforcing TLS 1.3 as a a minimum version To: John Barker Cc: "pgadmin-support lists.postgresql.org" Content-Type: multipart/alternative; boundary="000000000000c7f5ec0632503353" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000c7f5ec0632503353 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable [...Looping pgAdmin-Support] On Tue, Apr 8, 2025 at 9:19=E2=80=AFPM John Barker = wrote: > Hello, > > I am on a closed network so I can't copy my files and have to retype > them. I have verified that the file below is being parsed when the > container starts. My config.py is default as shipped with the > container. I was previously able to get this to work with pgAdmin 8.6 > and TLS 1.2 (no ssl_context required) before the requirement to upgrade > to pgAdmin 9.1 and TLS 1.3 (using ssl_context). > > I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as m= y > certs which are valid. There are no errors at startup in the container > logs. > > Here are the total contents of gunicorn_config.py > > ********* BEGIN ******************** > import gunicorn > gunicorn.SERVER_SOFTWARE =3D 'Python' > conf =3D '/pgadmin4/config.py' > > #ssl_version =3D 'TLSv1_2' -- working 8.6 setting > #ciphers =3D 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6 sett= ing > > def ssl_context(conf, default_ssl_context_factory): > import ssl > context =3D default_ssl_context_factory() > context.minimum_version =3D ssl.TLSVersion.TLSv1_3 > return context > > ******* EOF ************** > > This code looks fine. > I test TLS version using openssl like this: > > # openssl s_client -showcerts -tls1_2 -connect hostname:port > > What is the output of `curl -v ` ? > The above command gets a valid response with a TLS 1.2 handshake using a= cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work. > > Thanks, John > > On Tue, Apr 8, 2025 at 7:10=E2=80=AFAM Khushboo Vashi < > khushboo.vashi@enterprisedb.com> wrote: > >> Hi, >> >> On Tue, Apr 8, 2025 at 12:00=E2=80=AFAM John Barker >> wrote: >> >>> >>> I am running pgAdmin 9.1 in a podman container and am trying to ensure >>> that TLS 1.3 is the minimum version. I have created an override file= and >>> I know that it is being read at startup but the enforcement of TLS 1.3 = is >>> not happening. I am using this configuration as suggested by the >>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html >>> >>> Any idea of what to check. I know the file is being parsed because if = I >>> introduce a bad config, it is noted at startup. >>> >>> Also, where or how is the instance variable for the config defined? >>> >>> "The callable needs to accept an instance variable for the Config" >>> >> >> Can you please share your gunicorn_config.py file? >> The code looks good to me, and you said that you mapped the correct >> Gunicorn config file from the container. >> Also, what testing have you done to check whether the TLS version is >> enforced or not? >> >>> >>> The below is a file mapped into the container called gunicorn_config.py >>> >>> def ssl_context(conf, default_ssl_context_factory): >>> import ssl >>> context =3D default_ssl_context_factory() >>> context.minimum_version =3D ssl.TLSVersion.TLSv1_3 >>> return context >>> >>> --000000000000c7f5ec0632503353 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
[...Looping pgAdmin-Support]

On Tue, Apr 8, 2025 at 9:19=E2=80=AFPM John Barker <johnobarker@gmail.com> wrote:
Hello,

I am on a closed network so I can't= copy my files and have to retype them.=C2=A0 =C2=A0 I have verified=C2=A0 = that the file below is being parsed when the container starts.=C2=A0 =C2=A0= My config.py is default as shipped with the container.=C2=A0 =C2=A0 I was = previously able to get this to work with pgAdmin 8.6 and TLS 1.2=C2=A0 (no = ssl_context required)=C2=A0 before the requirement to upgrade to pgAdmin 9.= 1 and TLS 1.3 (using ssl_context).

I include PGADM= IN_ENABLE_TLS: true in my podman compose file as well as my certs which are= valid.=C2=A0 =C2=A0There are no errors at startup=C2=A0in the container lo= gs.

Here are the total contents of gunicorn_config= .py

*********=C2=A0 =C2=A0BEGIN ******************= **
=C2=A0 =C2=A0import gunicorn
=C2=A0 =C2=A0gunicorn.S= ERVER_SOFTWARE =3D 'Python'
=C2=A0 =C2=A0conf =3D '/p= gadmin4/config.py'

=C2=A0 =C2=A0#ssl_version = =3D 'TLSv1_2'=C2=A0 =C2=A0 =C2=A0-- working 8.6 setting
= =C2=A0 =C2=A0#ciphers =3D 'ECDHE-RSA-AES256-GCM-SHA= 383:!aNull'=C2=A0 -- working 8.6 setting
def ssl_context(conf, defa=
ult_ssl_context_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
*******  EOF  **************
This code looks fine.=C2=A0
I test TLS version using openssl like this:
# openssl s_client -showcerts -tls1_2 -connect hostname:port<= /div>
What is the output of=C2=A0 =C2=A0`curl=C2=A0 -v <pgadmin_url>`=C2=A0 =C2=A0?
The above command gets a valid response with a  TLS 1.2 handshake us=
ing a cipher of ECDHE-RSA-AES256-GCM-SHA383.   I would expect this not to w=
ork.
Thanks, John
On Tue, Apr 8, 2025 at 7:10=E2=80=AFAM Khushboo Vashi <khushboo.vashi@ente= rprisedb.com> wrote:
Hi,

On Tue, Apr 8, 2025 at 12:= 00=E2=80=AFAM John Barker <johnobarker@gmail.com> wrote:

I am running pgAdmin 9.1 in a= podman container and am trying to ensure that TLS 1.3 is the minimum versi= on.=C2=A0 =C2=A0 I have created an override=C2=A0file and I know that it is= being read at startup but the enforcement of TLS 1.3 is not happening.=C2= =A0 =C2=A0I am using this configuration as suggested by the documentation h= ere:=C2=A0=C2=A0https://docs.gunicorn.org/en/21.2.0/settings.html<= /div>

Any idea of what to check.=C2=A0 = I know the file is being parsed because if I introduce a bad config, it is = noted at startup.

Also, where or how is the instan= ce variable for the config defined?

"= ;The callable needs to accept an instance variable for the Config"

Can you please = share your=C2=A0 gunicorn_config.py file?
The code looks good to me, and= you said that you mapped the correct Gunicorn config file from the contain= er.
Also, what testing have you done to check whether the TLS ver= sion is enforced or not?

The below is a file mapped into the container called gunico= rn_config.py
def=
 ssl_context(conf, default_ssl_context_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
--000000000000c7f5ec0632503353--