6.9 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled

Information

Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols which can be used to encrypt data sent between client and server.

Rationale:

The TLSv1.0 protocol is vulnerable to the BEAST attack when used in CBC mode (October 2011). TLSv1.0 uses CBC modes for all of the block mode ciphers, which only leaves the RC4 streaming cipher which is also weak and therefore not recommended. Therefore, it is recommended that the TLSv1.0 protocol is disabled. The TLSv1.1 protocol does not support Authenticated Encryption with Associated Data (AEAD) which is designed to simultaneously provide confidentiality, integrity, and authenticity. All major up-to-date browsers support TLSv1.2, and most recent versions of Firefox and Chrome support the newer TLSv1.3 protocol, since 2017.

IETF deprecated TLSv1.0 and TLSv1.1 in March 2021 (see RFC 8996).

Solution

Adjust the ssl_min_protocol_version to at least TLSv1.2:

ALTER SYSTEM SET ssl_min_protocol_version = 'TLSv1.2';

or (preferred):

ALTER SYSTEM SET ssl_min_protocol_version = 'TLSv1.3';

In either case, make the change active:

SELECT pg_reload_conf();
SHOW ssl_min_protocol_version;

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1)

Plugin: PostgreSQLDB

Control ID: 258374d6718027a9d0cb35110a5e855367c181bf82df7558829ca966cb7fd127