Connect to Postgres with SSLv3 disabled on the server

Connect to Postgres with SSLv3 disabled on the server

Postby tgrovnes » Tue 14 Feb 2017 10:47

I'm using dotConnect 7.7.837.0 and Postgres 9.6 running on Windows 10/Windows Server 2012 with the following ssl configuration:

Code: Select all
ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!SSLv3:!aNULL:@STRENGTH'


I'm only allowing ssl connections in pg_hba.conf

I run the postgres db from command line with the -d 1 flag to get a report on the quality of the connection.

With this setup dotConnect fails to connect with the error "The server hello message uses a protocol that was not recognized".

I've tried other cipher lists as well but whenever I put !SSLv3 in the Postgres Cipher List it fails to connect.

However PgAdmin and openssl.exe connects without an issue in these cases, in both cases the server reports TLS 1.2 connections, cipher=ECDHE-RSA-AES256-GCM-SHA384

The main reason for adding !SSLv3 to the cipher list is to prevent any client connecting to the Postgres server using the less secure SSL3 protocol as this poses a security risk.
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Connect to Postgres with SSLv3 disabled on the server

Postby Shalex » Thu 16 Feb 2017 10:40

For some reason, !SSLv3 doesn't allow usage any of ciphers supported by dotConnect for PostgreSQL (for TLS1.0 as well). We will investigate the issue and notify you about the result.
Shalex
Devart Team
 
Posts: 7530
Joined: Thu 14 Aug 2008 12:44

Re: Connect to Postgres with SSLv3 disabled on the server

Postby tgrovnes » Fri 10 Mar 2017 08:53

Some additional info, dotConnect/Postgres handshake from Wireshark (below), see list of safe TLS1.2 ciphers here >> https://wiki.openssl.org/index.php/Manual:Ciphers(1)

Image
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Connect to Postgres with SSLv3 disabled on the server

Postby Shalex » Fri 10 Mar 2017 12:30

Thank you for the additional information. We will notify you about the result of our investigation.
Shalex
Devart Team
 
Posts: 7530
Joined: Thu 14 Aug 2008 12:44


Return to dotConnect for PostgreSQL