Connect to a Postgresql db using ssl only

Modest
September 19, 2023
301 views
0 votes
2 Answers

I have a Postgresql server (Windows) that is supposed to ONLY accept SSL connections, but it doesn’t.
This is the configuration of my pg_hba.conf file:

    # IPv4 local connections:
    hostssl all             all               0.0.0.0/0                 md5

This is the SSL part of postgresql.conf:

    # - SSL -

    ssl = on 
    #ssl_ca_file = ''
    ssl_cert_file = 'server.crt'
    #ssl_crl_file = ''
    ssl_key_file = 'server.key'
    #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
    #ssl_prefer_server_ciphers = on
    #ssl_ecdh_curve = 'prime256v1'
    #ssl_min_protocol_version = 'TLSv1.2'
    #ssl_max_protocol_version = ''
    #ssl_dh_params_file = ''
    #ssl_passphrase_command = ''
    #ssl_passphrase_command_supports_reload = off

On all the posts I’ve read it seems that it is sufficient to activate the connection ONLY with SSL, however, if I connect from code with npgsql (c#) it requires SSL, if I use another program, for example DBeaver, it connects with SSL, but also WITHOUT SSL.
What did I do wrong? I would like to connect only with SSL and not without.
I hope I was clear.

I hope for a solution.

EDIT……..
As requested by Adrian Klaver I add the entire pg_hba.conf file. I removed the entire top, which is just a comment and I don’t think it’s any use, this is what’s left, nothing else.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                       md5
# IPv4 local connections:
hostnossl all           all               all                   reject
hostssl all             all               0.0.0.0/0               md5   
#hostssl all           Sa|vA@Dat1          0.0.0.0/0                trust  
#host    all             all             127.0.0.1/32              password
# IPv6 local connections:
#host    all             all             ::1/128                   password  
# Allow replication connections from localhost, by a user with the
# replication privilege.

EDIT 2:
(The request of Adrian is too big for comment)
This is the connection log with SSL

connection authorized: user=xxxxx database=postgres SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, compression=deactivated)

This is the connection log WITHOUT SSL

connection authorized: user=xxxxx database=postgres SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, compression=deactivated)

They are IDENTICAL, I don’t understand how it can happen, in the connection without SSL there are no references to the certificates and SSL is disabled. I’m testing with Dbeaver, but I don’t think there are any differences with other tools

Tags: postgresql ssl

Answers

- LaurenzAlbe
- September 5, 2023 at 5:49 pm
- 0 votes
0
There must be another line in your pg_hba.conf that allows the unencrypted connections. To shut out such connections, add a line like this at the beginning:
```
hostnossl all all all reject
```
Login or Signup to reply.

- jjanes
- September 6, 2023 at 12:32 pm
- 0 votes
0
If all you did was uncheck the ‘use SSL’ box, that just means SSL is not mandatory for the client. But it will still use it if the opportunity arises.

To forbid SSL, you need to (ironically) check ‘use SSL’ and then choose ‘disable’ from the mode drop-down list.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.