On 13.06.21 16:20, pramod kg wrote: > I have enabled ssl on my PG servers and have set ssl_cipher to "HIGH". > Still, the security team complains that weak ciphers are accepted at > server side (They have run some security tests).
Try to get a list of specific ciphers that they object to. Then you can use "openssl ciphers" and SSL_CTX_set_cipher_list(3) to tune your settings.
> Security team > suggesting to use ssl_dh_params_file. > > As per my understanding, DH is a key exchange protocol (read in some > forum). DH is used to securely generate a common key between two > parties, other algorithms are used for encryption itself. So I > believe that dhparam does not help in resolving weak cipher issues. Need > some insight on this.