Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u26qY-00D5Dz-6b for pgadmin-support@arkaria.postgresql.org; Tue, 08 Apr 2025 11:10:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u26qU-007rDe-RN for pgadmin-support@arkaria.postgresql.org; Tue, 08 Apr 2025 11:10:23 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u26qU-007rDN-EO for pgadmin-support@lists.postgresql.org; Tue, 08 Apr 2025 11:10:22 +0000 Received: from mail-yw1-x112f.google.com ([2607:f8b0:4864:20::112f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u26qO-003f6x-3D for pgadmin-support@lists.postgresql.org; Tue, 08 Apr 2025 11:10:18 +0000 Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-6f768e9be1aso72172907b3.0 for ; Tue, 08 Apr 2025 04:10:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1744110615; x=1744715415; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LDxJeESLb0s4dDFcrh8YRSNXCkGvRkhlQtJrsVAa5Ps=; b=OQLDUkNVaNbz6PcucV0UJl+hUNCo5GXl63kVoOPmKsit6kvUpTMUs+GPGXXoXSLWMe tDZdNOeiqwnWstCS848VbGKSHpIyZXSJZBgDR8GXQ7p5at5YGUgg1cg9c+6gbi84zwxH J73jmlj8T8nMxyFNVdfB3BXtN4bkeazmaJe/VCHClKbHZIvnGStYjnjIDsNylecUpL5n b7iPfoO/9lbfW2h5c0nymfso/UbTGIfPEph8gKhdO1frDvQzSKnMwmJA+jq82H7PsFHF 4pU/LOYMir7ecbswVJ4pl6EIfLnPCkc/7zrOn8V46+YG52Swv9yp3At0ItDdysLRXEGP bLHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744110615; x=1744715415; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LDxJeESLb0s4dDFcrh8YRSNXCkGvRkhlQtJrsVAa5Ps=; b=SZmHubc6VSE0Kb1/kdUhF2GHQP1QyTzoBOFIIgcqYtNKIr75LbEFe/O3FFMA1eK/PF heeAR0veAoZPFHCJ/UbQ/0/JI+YMzH9DQdC4TPCP3hZoRffqvJKSrhaVv8BvhbpBGnem E6VZVjgmCmITUwErO595CsVSWA60HES3BdFKLSonZ5E3TMaAvlED6mGVCwLvuhTxqHXV IV07PuR9sINTdqY9A9gFit8aqB5OJHXYOtCQFrUw+E0D++aKWnmNaMbFjFDG25Ol4Yj+ 6eTO2nVvOjFoq3LZD/X98wxK83PoMgGfc3hijHy1gWmbzOYRM+98+YaN7KQB08DGqpHb OwxA== X-Gm-Message-State: AOJu0Yz+d2vc5fCJBKInMaSo79XH12WWuikt9g6X98uuSVIjRPllxfE9 GRDBQsUI4qPJdrxzU9ampRiaM/vmVNngOmUrBgG20Pk0KAi4NUSyibm/IWX6xZVOHqgA537Ej/r OpQweOgrVf52k7a1ARM2nyxf9KgsLl9DMPjWn X-Gm-Gg: ASbGnctoyUeep6fjTu6m4xe2dgEnBH8hBCK1snuvFVeqJiPy7uLPy82DPNSRMPEbP3c eMYN5rIJ4fCpA40nCaXoZue/0IAXFdLem4K1NDuR4n4fLE9LiorqzLe1Ge8qPzTLrlejh93w98w IWLUSanuxHk4n/cZtPeNI5YZCGxOU= X-Google-Smtp-Source: AGHT+IHDA9DxXw80pKp8RfGtO7ELNJPyxCDgMrA9ADdlWR/wHOP8L6Bbb9PwjaOAG9x+HDu8GohoK1yu0LAyzoUQpwc= X-Received: by 2002:a05:690c:6f11:b0:702:66cd:10be with SMTP id 00721157ae682-7042d57dc3bmr53255987b3.14.1744110615364; Tue, 08 Apr 2025 04:10:15 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Khushboo Vashi Date: Tue, 8 Apr 2025 16:40:04 +0530 X-Gm-Features: ATxdqUEBz1UBvPsvtOXdDyHo6iL-6NyZTgnmpO86fFS-QlIPN1TAIG57r3Rnt3s Message-ID: Subject: Re: Enforcing TLS 1.3 as a a minimum version To: John Barker Cc: pgadmin-support@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000adb7c00632426596" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000adb7c00632426596 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Tue, Apr 8, 2025 at 12:00=E2=80=AFAM John Barker = wrote: > > I am running pgAdmin 9.1 in a podman container and am trying to ensure > that TLS 1.3 is the minimum version. I have created an override file a= nd > I know that it is being read at startup but the enforcement of TLS 1.3 is > not happening. I am using this configuration as suggested by the > documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html > > Any idea of what to check. I know the file is being parsed because if I > introduce a bad config, it is noted at startup. > > Also, where or how is the instance variable for the config defined? > > "The callable needs to accept an instance variable for the Config" > Can you please share your gunicorn_config.py file? The code looks good to me, and you said that you mapped the correct Gunicorn config file from the container. Also, what testing have you done to check whether the TLS version is enforced or not? > > The below is a file mapped into the container called gunicorn_config.py > > def ssl_context(conf, default_ssl_context_factory): > import ssl > context =3D default_ssl_context_factory() > context.minimum_version =3D ssl.TLSVersion.TLSv1_3 > return context > > --000000000000adb7c00632426596 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

On Tue, Apr 8, 2= 025 at 12:00=E2=80=AFAM John Barker <johnobarker@gmail.com> wrote:

=
I am running pgAdmin 9.1 in a podman = container and am trying to ensure that TLS 1.3 is the minimum version.=C2= =A0 =C2=A0 I have created an override=C2=A0file and I know that it is being= read at startup but the enforcement of TLS 1.3 is not happening.=C2=A0 =C2= =A0I am using this configuration as suggested by the documentation here:=C2= =A0=C2=A0https://docs.gunicorn.org/en/21.2.0/settings.html

Any idea of what to check.=C2=A0 I know = the file is being parsed because if I introduce a bad config, it is noted a= t startup.

Also, where or how is the instance vari= able for the config defined?

"The ca= llable needs to accept an instance variable for the Config"

Can you please share y= our=C2=A0 gunicorn_config.py file?
The code looks good to me, and you sa= id that you mapped the correct Gunicorn config file from the container.
Also, what testing have you done to check whether the TLS version is= enforced or not?

The below is a file mapped into the container called gunicorn_conf= ig.py
def ssl_context(conf, default_ssl_context_factory):
    import ssl
    context =3D default_ssl_context_factory()
    context.minimum_version =3D ssl<=
/span>.=
TLSVersion.TLSv1_3
    return context
--000000000000adb7c00632426596--