Azure PostgreSQL 服务器上的 TLSv1.2
TLSv1.2 on Azure PostgreSQL Server
我正在尝试确保 PostgreSQL 客户端与 Azure PostgreSQL 服务器(版本 10.7)的连接使用的是 TLSv1.2。当我执行 psql 命令时,连接 header 显示协议 TLSv1.2:
[user ~]# psql -h psql_server.postgres.database.azure.com -p 5432 -U psql_admin_accnt@psql_server -W postgres
Password:
psql (10.7)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
然而,当我查询 pg_stat_ssl table 时,我得到的信息是,当前连接正在使用 TLSv1.1 和 cipher 信息也不相同。
postgres=> SELECT * FROM pg_stat_ssl;
pid | ssl | version | cipher | bits | compression | clientdn
--------+-----+---------+----------------------+------+-------------+----------
168648 | t | TLSv1.1 | ECDHE-RSA-AES256-SHA | 256 | f |
(1 row)
我应该依赖哪个信息是正确的?我的 psql 连接真的使用 TLSv1.2 还是从 PostgreSQL 系统 tables.
看到的 TLSv1.1
看来这个问题已经被微软自己解决了
[user@host ~]$ /usr/pgsql-10/bin/psql "host=psql_server.postgres.database.azure.com port=5432 dbname=dbname user=psql_admin_accnt@psql_server sslmode=require sslrootcert=/path/to/BaltimoreCyberTrustRoot.cer"
Password:
psql (10.11)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
dbname=> SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid();
pid | ssl | version | cipher | bits | compression | clientdn
--------+-----+---------+-----------------------------+------+-------------+----------
812820 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | f |
(1 row)
dbname=> SELECT VERSION();
version
-------------------------------------------------------------
PostgreSQL 10.11, compiled by Visual C++ build 1800, 64-bit
(1 row)
现在,正确返回了 TLS 版本。
我正在尝试确保 PostgreSQL 客户端与 Azure PostgreSQL 服务器(版本 10.7)的连接使用的是 TLSv1.2。当我执行 psql 命令时,连接 header 显示协议 TLSv1.2:
[user ~]# psql -h psql_server.postgres.database.azure.com -p 5432 -U psql_admin_accnt@psql_server -W postgres
Password:
psql (10.7)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
然而,当我查询 pg_stat_ssl table 时,我得到的信息是,当前连接正在使用 TLSv1.1 和 cipher 信息也不相同。
postgres=> SELECT * FROM pg_stat_ssl;
pid | ssl | version | cipher | bits | compression | clientdn
--------+-----+---------+----------------------+------+-------------+----------
168648 | t | TLSv1.1 | ECDHE-RSA-AES256-SHA | 256 | f |
(1 row)
我应该依赖哪个信息是正确的?我的 psql 连接真的使用 TLSv1.2 还是从 PostgreSQL 系统 tables.
TLSv1.1
看来这个问题已经被微软自己解决了
[user@host ~]$ /usr/pgsql-10/bin/psql "host=psql_server.postgres.database.azure.com port=5432 dbname=dbname user=psql_admin_accnt@psql_server sslmode=require sslrootcert=/path/to/BaltimoreCyberTrustRoot.cer"
Password:
psql (10.11)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
dbname=> SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid();
pid | ssl | version | cipher | bits | compression | clientdn
--------+-----+---------+-----------------------------+------+-------------+----------
812820 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | f |
(1 row)
dbname=> SELECT VERSION();
version
-------------------------------------------------------------
PostgreSQL 10.11, compiled by Visual C++ build 1800, 64-bit
(1 row)
现在,正确返回了 TLS 版本。