Devart Forums

Discussion forums for open issues and questions concerning database tools, data access components and developer tools from Devart
https://forums.devart.com/

Connect to Postgres with SSLv3 disabled on the server

https://forums.devart.com/viewtopic.php?f=3&t=34971

Page 1 of 1

Connect to Postgres with SSLv3 disabled on the server

Posted: Tue 14 Feb 2017 10:47
by tgrovnes
I'm using dotConnect 7.7.837.0 and Postgres 9.6 running on Windows 10/Windows Server 2012 with the following ssl configuration:

Code: Select all

ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!SSLv3:!aNULL:@STRENGTH'
I'm only allowing ssl connections in pg_hba.conf

I run the postgres db from command line with the -d 1 flag to get a report on the quality of the connection.

With this setup dotConnect fails to connect with the error "The server hello message uses a protocol that was not recognized".

I've tried other cipher lists as well but whenever I put !SSLv3 in the Postgres Cipher List it fails to connect.

However PgAdmin and openssl.exe connects without an issue in these cases, in both cases the server reports TLS 1.2 connections, cipher=ECDHE-RSA-AES256-GCM-SHA384

The main reason for adding !SSLv3 to the cipher list is to prevent any client connecting to the Postgres server using the less secure SSL3 protocol as this poses a security risk.

Re: Connect to Postgres with SSLv3 disabled on the server

Posted: Thu 16 Feb 2017 10:40
by Shalex
For some reason, !SSLv3 doesn't allow usage any of ciphers supported by dotConnect for PostgreSQL (for TLS1.0 as well). We will investigate the issue and notify you about the result.

Re: Connect to Postgres with SSLv3 disabled on the server

Posted: Fri 10 Mar 2017 08:53
by tgrovnes
Some additional info, dotConnect/Postgres handshake from Wireshark (below), see list of safe TLS1.2 ciphers here >> https://wiki.openssl.org/index.php/Manual:Ciphers(1)

Image

Re: Connect to Postgres with SSLv3 disabled on the server

Posted: Fri 10 Mar 2017 12:30
by Shalex
Thank you for the additional information. We will notify you about the result of our investigation.

Re: Connect to Postgres with SSLv3 disabled on the server

Posted: Mon 01 Apr 2019 16:43
by sckienle
Do you have an update? I am having the same error message ""The server hello message uses a protocol that was not recognized" when trying to connect to a external database with dbForge for PostgreSQL. pgAdmin and other tools can connect just fine, so I know it isn't a network or database issue.

Thanks,
Steve

Re: Connect to Postgres with SSLv3 disabled on the server

Posted: Thu 04 Apr 2019 14:48
by Pinturiccio
Could you please email this issue to our support team to support at devart dot com? Or use our contact form. Please specify the details of the issue, especially the value of ssl_ciphers in the postgresql.conf file of your PostgreSQL server.

Re: Connect to Postgres with SSLv3 disabled on the server

Posted: Tue 26 Jan 2021 19:46
by Shalex
The new public build dotConnect for PostgreSQL v7.20.1812 includes assemblies compiled for .NET Framework 4.7:
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.dll"
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.PostgreSql.dll"

The .NET Framework 4.7 assemblies include runtime support for ciphers used by TLS 1.2.

By default, assemblies compiled for .NET Framework 2.0 are used:
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\Devart.Data.dll"
* "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\Devart.Data.PostgreSql.dll"

Please select the "Do not install assemblies in the GAC" option in Setup Wizard. Otherwise, the runtime will load provider assemblies compiled for .NET Framework 2.0 from GAC.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/