Follow along as we walk through the steps, from checking accepted ciphers using nmap to modifying the postgresql.conf file and restarting the gstd service. Plus, we'll verify the changes using nmap. For more Information, check our Knowledge Base click here.
How to disable TLS 1.0 and 1.1 connections to PostgreSQL database port 5432 on the Networker Management Console. To check which Cipher Suites are supported by the server on port 5432 we can use the open-source nmap tool which we would need to install on the Networker Management Console server.
This tool using the command as shown will tell us exactly what Cipher Suites are supported by the server on this port which we specify with the -p and the port of interest to us here is port 5432 which is being used by PostgreSQL. The result has shown is that TLS 1.0 1.1 1.2 and 1.3 are all being accepted by this port 5432 on the Networker Management Console server. So that’s what we’re going to change. We want the port 5432 to only accept Cipher Suite TLS 1.2 and TLS 1.3 for security reasons. So in order to disable the TLS 1.0 and 1.1 on this port we need to go to the PostgreSQL configuration file which default location is shown here.
We can go into that NMC database directory and we see the postgresql.conf file. There’s loads of configuration details here for the PostgreSQL instance. We will look for SSL_ciphers and this is the line of interest to us here where we will make the change that we need in order that TLS 1.0 and TLS 1.1 will no longer be supported on this port. So the exact syntax is shown here. We’re putting in “!TLSv1.0:!TLSv1.1:” It’s the colons are being used as dividers here in this line. So you can see here exactly what this line is going to look like after we’ve modified it.
Then we’ll save this file and after that we just need to restart the gstd process on the Networker Management Console server in order for this postgresql.conf file to be read again and the new configuration taken into account. As this is a Windows machine we’ll be using the net stop and net start commands to stop and then start again the gstd process. Once we’ve restarted the gstd process we will then use the exact same nmap command as we used previously in order to confirm that this change has been made successfully on the Networker Management Console server.
It’s the nmap command with -p 5432 and listing the ciphers and we can see here that it’s a different output this time where only TLS 1.2 and TLS 1.3 are accepted which is what we want. So we can confirm using the nmap command that our change we made in the PostgreSQL conf file has been successful and now only the versions of TLS 1.2 and 1.3 are being reported on this port 5432.