Thanks.
If OpenSSL apply any patches at OS level, Is there any changes/maintenance we need to perform at PostgreSQL end?
On Thu, Nov 9, 2017 at 5:46 PM, Joe Conway <mail@xxxxxxxxxxxxx> wrote:
On 11/09/2017 01:59 PM, chiru r wrote:
> I am using PostgreSQL version *9.5.7* on Red hat enterprise Linux *7.2.*
>
> *OpenSSL version : * OpenSSL 1.0.1e-fips 11 Feb 2013.
>
> I have a requirement to enable the SSL in my environment with specific
> cipher suites,we want to restrict weak cipher suites from open SSL
> default list.
>
> We have list of cipher suites, which are authorized to use in my
> environment.So the Client Applications use one of authorized cipher
> suites while configuring application server.
>
> Is it require to install different version of OpenSSL software instead
> of default OpenSSL on Linux ?.
Note -- please don't cross post to hackers as it is off topic for that
list and cross posting is generally frowned upon (pgsql-hackers removed).
Assuming you mean that you need only FIPS 140-2 compliant ciphers, you
would want to configure the OS for system-wide FIPS compliance. See:
https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/ security_guide/chap-federal_ standards_and_regulations
> How to configure the PostgreSQL to allow specif cipher suites from
> different client applications?
If you still need more control over what Postgres allows, see the
ssl_ciphers configuration setting here:
https://www.postgresql.org/docs/current/static/runtime- config-connection.html#GUC-SSL
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
