Security

Our checkbox enforcers InfoSec folks have determined that we must restrict TLS to v1.2 and I'm unable to find a setting for the postgres listener on 5432/tcp. I've played with the Disable TLS version 1.0/1.1 cluster-wide parameters in my lab (running v6.7.8), but I'm still seeing TLSv1.1 in my scans (sslyze --regular --starttls=postgres <pub>:5432).

 

Is there a way to manage the TLS settings for postgres?

,

 

I'm not aware of such an option be available to the end user.

However, I pretty sure TAC can login to the database with admin acces and set the SSL requirements.

 

Not sure if they will comply to your demand though  

 

Good luck

Were you ever able to resolve this?  Infosec is flagging me for the same TLSV1.1 and I'd like to disable it.

------------------------------
C
------------------------------

Original Message:
Sent: Jan 30, 2020 02:05 PM
From: Daniel McDavid
Subject: CPPM Postgres TLS Settings

Our checkbox enforcers InfoSec folks have determined that we must restrict TLS to v1.2 and I'm unable to find a setting for the postgres listener on 5432/tcp. I've played with the Disable TLS version 1.0/1.1 cluster-wide parameters in my lab (running v6.7.8), but I'm still seeing TLSv1.1 in my scans (sslyze --regular --starttls=postgres <pub>:5432).

 

Is there a way to manage the TLS settings for postgres?

At least in CPPM 6.9.5, I see TLS 1.1 is not allowed. You may consider upgrading, or work with Aruba Support.

 * TLS 1.0 Cipher Suites:
     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

 * TLS 1.1 Cipher Suites:
     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

 * SSL 3.0 Cipher Suites:
     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 28, 2021 06:58 PM
From: C
Subject: CPPM Postgres TLS Settings

Were you ever able to resolve this?  Infosec is flagging me for the same TLSV1.1 and I'd like to disable it.

------------------------------
C

Original Message:
Sent: Jan 30, 2020 02:05 PM
From: Daniel McDavid
Subject: CPPM Postgres TLS Settings

Our checkbox enforcers InfoSec folks have determined that we must restrict TLS to v1.2 and I'm unable to find a setting for the postgres listener on 5432/tcp. I've played with the Disable TLS version 1.0/1.1 cluster-wide parameters in my lab (running v6.7.8), but I'm still seeing TLSv1.1 in my scans (sslyze --regular --starttls=postgres <pub>:5432).

 

Is there a way to manage the TLS settings for postgres?