Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Mon 05 Dec 2016 08:38

In my setup I'm using dotConnect 7.6 and Postgres 9.6 running on Windows 10/Windows Server 2012 with the following ssl configuration:

Code: Select all
ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL:@STRENGTH'


With this setup I'm only able to get a TLS 1.1 connection, cipher=AES256-SHA (reported by postgres debug output), I've tried other lists as well but this is as "good as it gets"

Using PgAdmin and openssl.exe the server reports TLS 1.2 connections, cipher=ECDHE-RSA-AES256-GCM-SHA384

In addition whenever I put !SSLv3 and/or !TLSv1 in the Postgres Cipher List dotConnect fails to connect with the error "The server hello message uses a protocol that was not recognized", PgAdmin and openssl.exe connects without an issue in these cases.

Am I missing something that prevents dotConnect to achieve a TLS 1.2 connection or is this a known limitation? any advice would be appreciated.
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby Pinturiccio » Tue 06 Dec 2016 15:43

We will add a connection string parameter to determine which TLS version must be used and post here about the results.

tgrovnes wrote:cipher=ECDHE-RSA-AES256-GCM-SHA384

dotConnect for PostgreSQL does not support the cipher of such a format. We will investigate the possibility to support such cipher format, but we can't tell any timeframe at the moment.
Pinturiccio
Devart Team
 
Posts: 1982
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Tue 06 Dec 2016 20:20

My main interest is getting a connection using TLS v1.2 with a "safe" cipher not specificly ECDHE-RSA-AES256-GCM-SHA384 but one of the recommended according to f.ex. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols
see 2.2. and 2.3
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Thu 22 Dec 2016 08:48

@Pinturiccio any idea when the connection string parameter will be available ? Also if this parameter is not set will dotConnect negotiate it's way to TLS1.2 if that is what is configured on the Postgres server ?
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby Shalex » Thu 22 Dec 2016 11:48

tgrovnes wrote:any idea when the connection string parameter will be available ?
An approximate timeframe is one month. We will notify you when it is implemented.

tgrovnes wrote:Also if this parameter is not set will dotConnect negotiate it's way to TLS1.2 if that is what is configured on the Postgres server ?
There is no way to use TLSv1.2 via dotConnect for PostgreSQL at the moment. As a temporary workaround, please use TLSv1.1.
Shalex
Devart Team
 
Posts: 7654
Joined: Thu 14 Aug 2008 12:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Thu 22 Dec 2016 13:05

Good news!

I fully understand TLS1.2 is not working currently and TLS 1.1. is an option.

About the fix you are planning to implement:
Will DotConnect negotiate by default to TLS1.2 with this fix i.e. if no specific TLS version is set in the connection string or is this too early to say?

About ciphers:
My main interest is getting a connection using TLS v1.2 with a "safe" cipher not specificly ECDHE-RSA-AES256-GCM-SHA384 but one of the recommended according to f.ex. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols see sections 2.2. and 2.3

Thanks again
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby Shalex » Thu 22 Dec 2016 13:48

tgrovnes wrote:Will DotConnect negotiate by default to TLS1.2 with this fix i.e. if no specific TLS version is set in the connection string or is this too early to say?
We will describe a default behaviour after the feature is implemented.
Shalex
Devart Team
 
Posts: 7654
Joined: Thu 14 Aug 2008 12:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Fri 03 Feb 2017 14:20

Are there any updates on this issue? I have to decide if I should continue to wait or if I should investigate other ways of addressing this. I'd prefer an update to dotConnect of course :). Any feedback/progress would be appreciated.

Thank you

/T
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby Pinturiccio » Wed 08 Feb 2017 16:33

We have added the "SSL TLS Protocol" connection string parameter to PgSqlConnection for specifying the preferred TLS version that will be send to the server. We will post here when the corresponding build of dotConnect for PostgreSQL is available for download.

The behavior of this parameter is the following:
1. If the parameter is not specified, the 1.1 value is used;
2. If you specify a value, for example, 1.2, this version will be sent to server as preferred when connecting.

If the server does not support the specified version, it won’t cause an error. Instead the server will return the maximal version value it supports, and this version will be used by the connection. For example, suppose the server supports TLS 1.0 and does not support TLS 1.1 and TLS 1.2. If you set the "SSL TLS Protocol" parameter to 1.1 or 1.2, the result connection will use TLS 1.0.
Pinturiccio
Devart Team
 
Posts: 1982
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Thu 09 Feb 2017 11:47

Great, looking forward to trying it out
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby Pinturiccio » Thu 09 Feb 2017 17:21

New build of dotConnect for PostgreSQL 7.7.837 is available for download now!
It can be downloaded from http://www.devart.com/dotconnect/postgresql/download.html (trial version) or from Registered Users' Area (for users with valid subscription only).
For more information, please refer to http://forums.devart.com/viewtopic.php?t=34948
Pinturiccio
Devart Team
 
Posts: 1982
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Postby tgrovnes » Tue 14 Feb 2017 08:57

Tested, works as described, i.e. defaults to TLS 1.1 without the connection string parameter "SSL TLS Protocol", setting it to 1.2 enabled TLS 1.2

Good work, thanks
tgrovnes
 
Posts: 11
Joined: Mon 05 Dec 2016 07:33


Return to dotConnect for PostgreSQL