Home / user-113899

Martin Thoma's questions

Martin Hope
Martin Thoma
Asked: 2019-06-17 03:16:09 +0800 CST
  • 3

I recently added TLS (letsencrypt with certbot) to my domain. It comes with a basic configuration options-ssl-nginx.conf which includes

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

This part is identical to what Mozilla recommends.

Then I checked my domain with https://ssldecoder.org and . They complained that my server does not support TLSv1.3

Question 1: Why is TLSv1.3 not in ssl_protocols? Is there any reason not to add it?

Checking my site with https://www.ssllabs.com/ssltest shows some complaints about supported SSL ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Question 2: How should I decide which ciphers to support?

If less ciphers are supported, less devices will be able to reach the site. But is there a way for me to judge how many that will be (something like caniuse.com for css, but for ciphers)? And, as this is the order of preference and the client can still take anyone they like: Why should I not support all?

nginx
Martin Hope
Martin Thoma
Asked: 2014-02-06 01:57:41 +0800 CST
  • 3

I currently have a Python script that needs to fetch some data from a PostgreSQL database. It currently works fine, but I have to move the script to another server B. The PostgreSQL database will remain at server A.

So my Python script needs to access the PostgreSQL-database from server B connecting to server A.

I've tried adding host=servera.my.url.de but that gave me

could not connect to server: Connection refused
       Is the server running on host "servera.my.url.de" (141.X.YZ.AB) and
       accepting TCP/IP connections on port 5432?

Is the server there?

ping servera.my.url.de
PING servera.my.url.de (141.X.YZ.AB) 56(84) bytes of data.
64 bytes from XXXXX (141.X.YZ.AB): icmp_req=1 ttl=58 time=3.76 ms
64 bytes from XXXXX (141.X.YZ.AB): icmp_req=2 ttl=58 time=4.07 ms
64 bytes from XXXXX (141.X.YZ.AB): icmp_req=3 ttl=58 time=5.01 ms
^C
--- servera.my.url.de ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 3.768/4.287/5.014/0.529 ms

so the server is running and reachable.

Is my Python script the problem?

psql -h servera.my.url.de -p 5930 -c "select 1"
psql: could not connect to server: Connection refused
    Is the server running on host "servera.my.url.de" (141.X.YZ.AB) and accepting
    TCP/IP connections on port 5930?

and

psql -h servera.my.url.de -p 5932 -U myusername -W -c "select 1" 
Password for user myusername: 
psql: could not connect to server: Connection refused
    Is the server running on host "servera.my.url.de" (141.X.YZ.AB) and accepting
    TCP/IP connections on port 5932?

Portscan

$ nmap -p 5000-6000 -sT servera.my.url.de

Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-05 10:40 CET
Nmap scan report for servera.my.url.de (141.X.YZ.AB)
Host is up (0.054s latency).
rDNS record for 141.X.YZ.AB: XXXXXX
Not shown: 992 closed ports
PORT     STATE    SERVICE
5000/tcp filtered upnp
5025/tcp filtered unknown
5190/tcp filtered aol
5222/tcp filtered xmpp-client
5554/tcp filtered sgi-esphttp
5555/tcp filtered freeciv
5900/tcp filtered vnc
5901/tcp filtered vnc-1
6000/tcp filtered X11

Interesting that freeciv is running ...

When I make the port range higher, I get different results:

$ nmap -p 1000-6000 -sT servera.my.url.de

Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-05 10:40 CET
Nmap scan report for servera.my.url.de (141.X.YZ.AB)
Host is up (0.054s latency).
rDNS record for 141.X.YZ.AB: XXXXXX
Not shown: 4868 closed ports, 130 filtered ports
PORT     STATE SERVICE
3000/tcp open  ppp
4443/tcp open  pharos
4444/tcp open  krb524

Could port 5025 be PostgreSQL?

Other tries

$ ps aux | grep postgres | grep -v 'postgres:'
postgres 28928 0.0 0.0 90124 820 ? s 2013 0:59 /usr/lib/postgresql91/bin/postgres -D /path/pgsql/data
[my command]

$ lsof -p 28928
[does not return anything, but does not quit]

Within PostgreSQL I typed SHOW port, but it returned nothing. Does this mean that PostgreSQL is not listening to any port? How can I make it listen?

Is it some setting in /path/pgsql/data? (I cannot access this at the moment, but I can ask.)

What can I do to figure out on which port postgreSql is listening (or if it is listening at all)? How can I make it listen to a port (or change the port)? I don't have root permissions on this machine, but I can login with SSH on server A.

I did see Determining PostgreSQL's port and tried everything from there:

  • netstat needs root rights
  • lsof does not work (I have no idea whats going wrong on the server ... on my machine, it works fine)
  • pg_lsclusters seems not to be installed
postgresql