Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for PostgreSQL
Post Reply
tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Mon 05 Dec 2016 08:38

In my setup I'm using dotConnect 7.6 and Postgres 9.6 running on Windows 10/Windows Server 2012 with the following ssl configuration:

Code: Select all

ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL:@STRENGTH'
With this setup I'm only able to get a TLS 1.1 connection, cipher=AES256-SHA (reported by postgres debug output), I've tried other lists as well but this is as "good as it gets"

Using PgAdmin and openssl.exe the server reports TLS 1.2 connections, cipher=ECDHE-RSA-AES256-GCM-SHA384

In addition whenever I put !SSLv3 and/or !TLSv1 in the Postgres Cipher List dotConnect fails to connect with the error "The server hello message uses a protocol that was not recognized", PgAdmin and openssl.exe connects without an issue in these cases.

Am I missing something that prevents dotConnect to achieve a TLS 1.2 connection or is this a known limitation? any advice would be appreciated.

Pinturiccio
Devart Team
Posts: 2420
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Pinturiccio » Tue 06 Dec 2016 15:43

We will add a connection string parameter to determine which TLS version must be used and post here about the results.
tgrovnes wrote:cipher=ECDHE-RSA-AES256-GCM-SHA384
dotConnect for PostgreSQL does not support the cipher of such a format. We will investigate the possibility to support such cipher format, but we can't tell any timeframe at the moment.

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Tue 06 Dec 2016 20:20

My main interest is getting a connection using TLS v1.2 with a "safe" cipher not specificly ECDHE-RSA-AES256-GCM-SHA384 but one of the recommended according to f.ex. https://github.com/ssllabs/research/wik ... -protocols
see 2.2. and 2.3

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Thu 22 Dec 2016 08:48

@Pinturiccio any idea when the connection string parameter will be available ? Also if this parameter is not set will dotConnect negotiate it's way to TLS1.2 if that is what is configured on the Postgres server ?

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Shalex » Thu 22 Dec 2016 11:48

tgrovnes wrote:any idea when the connection string parameter will be available ?
An approximate timeframe is one month. We will notify you when it is implemented.
tgrovnes wrote:Also if this parameter is not set will dotConnect negotiate it's way to TLS1.2 if that is what is configured on the Postgres server ?
There is no way to use TLSv1.2 via dotConnect for PostgreSQL at the moment. As a temporary workaround, please use TLSv1.1.

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Thu 22 Dec 2016 13:05

Good news!

I fully understand TLS1.2 is not working currently and TLS 1.1. is an option.

About the fix you are planning to implement:
Will DotConnect negotiate by default to TLS1.2 with this fix i.e. if no specific TLS version is set in the connection string or is this too early to say?

About ciphers:
My main interest is getting a connection using TLS v1.2 with a "safe" cipher not specificly ECDHE-RSA-AES256-GCM-SHA384 but one of the recommended according to f.ex. https://github.com/ssllabs/research/wik ... -protocols see sections 2.2. and 2.3

Thanks again

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Shalex » Thu 22 Dec 2016 13:48

tgrovnes wrote:Will DotConnect negotiate by default to TLS1.2 with this fix i.e. if no specific TLS version is set in the connection string or is this too early to say?
We will describe a default behaviour after the feature is implemented.

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Fri 03 Feb 2017 14:20

Are there any updates on this issue? I have to decide if I should continue to wait or if I should investigate other ways of addressing this. I'd prefer an update to dotConnect of course :). Any feedback/progress would be appreciated.

Thank you

/T

Pinturiccio
Devart Team
Posts: 2420
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Pinturiccio » Wed 08 Feb 2017 16:33

We have added the "SSL TLS Protocol" connection string parameter to PgSqlConnection for specifying the preferred TLS version that will be send to the server. We will post here when the corresponding build of dotConnect for PostgreSQL is available for download.

The behavior of this parameter is the following:
1. If the parameter is not specified, the 1.1 value is used;
2. If you specify a value, for example, 1.2, this version will be sent to server as preferred when connecting.

If the server does not support the specified version, it won’t cause an error. Instead the server will return the maximal version value it supports, and this version will be used by the connection. For example, suppose the server supports TLS 1.0 and does not support TLS 1.1 and TLS 1.2. If you set the "SSL TLS Protocol" parameter to 1.1 or 1.2, the result connection will use TLS 1.0.

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Thu 09 Feb 2017 11:47

Great, looking forward to trying it out

Pinturiccio
Devart Team
Posts: 2420
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Pinturiccio » Thu 09 Feb 2017 17:21

New build of dotConnect for PostgreSQL 7.7.837 is available for download now!
It can be downloaded from http://www.devart.com/dotconnect/postgr ... nload.html (trial version) or from Registered Users' Area (for users with valid subscription only).
For more information, please refer to viewtopic.php?t=34948

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by tgrovnes » Tue 14 Feb 2017 08:57

Tested, works as described, i.e. defaults to TLS 1.1 without the connection string parameter "SSL TLS Protocol", setting it to 1.2 enabled TLS 1.2

Good work, thanks

afuste
Posts: 1
Joined: Fri 22 Feb 2019 21:36

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by afuste » Mon 25 Feb 2019 14:25

I know this is an old post, but in the connection string I am setting "SslMode=require;Ssl Cipher List=AES;SSL TLS Protocol=1.2; ..." and I still get the exception "Devart.Data.PostgreSql.PgSqlException from Devart.Data.PostgreSql: The server hello message uses a protocol that was not recognized.".

The database server has the following configuration: protocol: "TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off".
Any idea on how to compose the client connection string to make this work???

This is what wireshark shows for the "client hello" message:
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
.... which results in Alert (Level: Fatal, Description: Handshake Failure)

Some information about Devart.Data.PostgreSql:
Path: C:\Program Files (x86)\Common Files\Devart\dotConnect\5.0\Net2\Common\Devart.Data.PostgreSql.dll
Version: 7.9.912.0
Runtime Version: v2.0.50727

Question: Does Devart use a proprietary subset of openssl? Can I somehow use openssl with devart (since we know we can connect with openssl to the db server)? I am in need of getting pas this roadblock.

Need help urgently.
Thanks!

Pinturiccio
Devart Team
Posts: 2420
Joined: Wed 02 Nov 2011 09:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Pinturiccio » Fri 01 Mar 2019 17:36

dotConnect for PostgreSQL supports TLS 1.2. However, it supports only ciphers available in TLS 1.1. ECDHE-RSA-AES256-GCM-SHA384 is available only for TLS 1.2 and is not supported by dotConnect for PostgreSQL.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Re: Is TLS v1.2 possible w dotConnect 7.6 and Postgres 9.6 on Windows ?

Post by Shalex » Tue 26 Jan 2021 19:46

The new public build dotConnect for PostgreSQL v7.20.1812 includes assemblies compiled for .NET Framework 4.7:
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.dll"
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.PostgreSql.dll"

The .NET Framework 4.7 assemblies include runtime support for ciphers used by TLS 1.2.

By default, assemblies compiled for .NET Framework 2.0 are used:
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\Devart.Data.dll"
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\Devart.Data.PostgreSql.dll"

Please select the "Do not install assemblies in the GAC" option in Setup Wizard. Otherwise, the runtime will load provider assemblies compiled for .NET Framework 2.0 from GAC.

Post Reply