-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: default Postgres SSL protocol version to TLSv1.3 #3408
Conversation
❗ By default, the pull request is configured to backport to all release branches.
|
Previously, CloudNativePG lacked the capability for users to configure specific TLS settings, relying on the default settings of PostgreSQL. To address security and compliance concerns, CloudNativePG now sets the `ssl_min_protocol_version` and `ssl_max_protocol_version` GUCs to TLSv1.3 by default. Additionally, users now have the flexibility to override these default options, along with the `ssl_ciphers` configuration. Closes #3407 Closes #3376 Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
/test depth=push test_level=4 feature_type=service-connectivity,replication |
@sxd, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/7010018465 |
@sxd, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/7010087146 |
Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
/test depth=push test_level=4 feature_type=service-connectivity,replication |
@sxd, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/7013922432 |
/test test_level=4 feature_type=service-connectivity,replication |
@sxd, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/7013973399 |
… pg11 Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Previously, CloudNativePG lacked the capability for users to configure specific TLS settings, relying on the default settings of PostgreSQL. To address security and compliance concerns, CloudNativePG now sets the `ssl_min_protocol_version` and `ssl_max_protocol_version` GUCs to TLSv1.3 by default. This default settings is only for Postgres >= 12, since version 11 doesn't have support for these GUCs Additionally, users now have the flexibility to override these default options, along with the `ssl_ciphers` configuration. Closes #3407 Closes #3376 Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Co-authored-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> (cherry picked from commit 38ce92e)
Previously, CloudNativePG lacked the capability for users to configure specific TLS settings, relying on the default settings of PostgreSQL. To address security and compliance concerns, CloudNativePG now sets the `ssl_min_protocol_version` and `ssl_max_protocol_version` GUCs to TLSv1.3 by default. This default settings is only for Postgres >= 12, since version 11 doesn't have support for these GUCs Additionally, users now have the flexibility to override these default options, along with the `ssl_ciphers` configuration. Closes #3407 Closes #3376 Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Co-authored-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> (cherry picked from commit 38ce92e)
Previously, CloudNativePG lacked the capability for users to configure specific TLS settings, relying on the default settings of PostgreSQL.
To address security and compliance concerns, CloudNativePG now sets the
ssl_min_protocol_version
andssl_max_protocol_version
GUCs to TLSv1.3 by default.Additionally, users now have the flexibility to override these default options, along with the
ssl_ciphers
configuration.Closes #3407
Closes #3376