Connect to Postgres with SSLv3 disabled on the server

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for PostgreSQL
Post Reply
tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Connect to Postgres with SSLv3 disabled on the server

Post by tgrovnes » Tue 14 Feb 2017 10:47

I'm using dotConnect 7.7.837.0 and Postgres 9.6 running on Windows 10/Windows Server 2012 with the following ssl configuration:

Code: Select all

ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!SSLv3:!aNULL:@STRENGTH'
I'm only allowing ssl connections in pg_hba.conf

I run the postgres db from command line with the -d 1 flag to get a report on the quality of the connection.

With this setup dotConnect fails to connect with the error "The server hello message uses a protocol that was not recognized".

I've tried other cipher lists as well but whenever I put !SSLv3 in the Postgres Cipher List it fails to connect.

However PgAdmin and openssl.exe connects without an issue in these cases, in both cases the server reports TLS 1.2 connections, cipher=ECDHE-RSA-AES256-GCM-SHA384

The main reason for adding !SSLv3 to the cipher list is to prevent any client connecting to the Postgres server using the less secure SSL3 protocol as this poses a security risk.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Re: Connect to Postgres with SSLv3 disabled on the server

Post by Shalex » Thu 16 Feb 2017 10:40

For some reason, !SSLv3 doesn't allow usage any of ciphers supported by dotConnect for PostgreSQL (for TLS1.0 as well). We will investigate the issue and notify you about the result.

tgrovnes
Posts: 11
Joined: Mon 05 Dec 2016 07:33

Re: Connect to Postgres with SSLv3 disabled on the server

Post by tgrovnes » Fri 10 Mar 2017 08:53

Some additional info, dotConnect/Postgres handshake from Wireshark (below), see list of safe TLS1.2 ciphers here >> https://wiki.openssl.org/index.php/Manual:Ciphers(1)

Image

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Re: Connect to Postgres with SSLv3 disabled on the server

Post by Shalex » Fri 10 Mar 2017 12:30

Thank you for the additional information. We will notify you about the result of our investigation.

sckienle
Posts: 1
Joined: Mon 01 Apr 2019 16:37

Re: Connect to Postgres with SSLv3 disabled on the server

Post by sckienle » Mon 01 Apr 2019 16:43

Do you have an update? I am having the same error message ""The server hello message uses a protocol that was not recognized" when trying to connect to a external database with dbForge for PostgreSQL. pgAdmin and other tools can connect just fine, so I know it isn't a network or database issue.

Thanks,
Steve

Pinturiccio
Devart Team
Posts: 2420
Joined: Wed 02 Nov 2011 09:44

Re: Connect to Postgres with SSLv3 disabled on the server

Post by Pinturiccio » Thu 04 Apr 2019 14:48

Could you please email this issue to our support team to support at devart dot com? Or use our contact form. Please specify the details of the issue, especially the value of ssl_ciphers in the postgresql.conf file of your PostgreSQL server.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Re: Connect to Postgres with SSLv3 disabled on the server

Post by Shalex » Tue 26 Jan 2021 19:46

The new public build dotConnect for PostgreSQL v7.20.1812 includes assemblies compiled for .NET Framework 4.7:
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.dll"
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.PostgreSql.dll"

The .NET Framework 4.7 assemblies include runtime support for ciphers used by TLS 1.2.

By default, assemblies compiled for .NET Framework 2.0 are used:
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\Devart.Data.dll"
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\Devart.Data.PostgreSql.dll"

Please select the "Do not install assemblies in the GAC" option in Setup Wizard. Otherwise, the runtime will load provider assemblies compiled for .NET Framework 2.0 from GAC.

Post Reply