Re: PostgreSQL SSL params

On 13.06.21 16:20, pramod kg wrote:
> I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH". 
> Still, the security team complains that weak ciphers are accepted at 
> server side (They have run some security tests).

Try to get a list of specific ciphers that they object to.  Then you can 
use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.

> Security team 
> suggesting to use ssl_dh_params_file.
> 
> As per my understanding, DH is a key exchange protocol (read in some 
> forum). DH is used to securely generate a common key between two 
> parties, other algorithms are used for encryption itself. So I 
> believe that dhparam does not help in resolving weak cipher issues. Need 
> some insight on this.

I think you are correct on this.