Enabling and disabling ciphers

Learn how to enable and disable TLS 1.2 ciphers if you are on Netezza Performance Server 11.2.1.5, 11.2.2.0 or later.

Ciphers order

The following is a list of ciphers ordered by priority (from highest to lowest):
  • ECDHE-RSA-AES256-GCM-SHA384
  • AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
Note: If you disabled ECDHE-ECDSA-AES256-GCM-SHA384 or ECDHE-ECDSA-AES128-GCM-SHA256, you must revert the certificates that you created as described in Creating and enabling certificates. If you do not revert the certificates, the ciphers cannot be disabled.

Enabling ciphers

  1. Open the /nz/data/postgresql.conf file.
  2. Enable ciphers:
    • To enable a cipher that has preceding ciphers, add the cipher name that you want to enable and add ! before the ciphers that precede it.
      ssl_cipher_list_append = '!<preceding_cipher>:!<preceding_cipher>:<cipher_to_enable>'
      Tip: To separate ciphers, put a colon : after each cipher.
      Example:
      ssl_cipher_list_append = '!ECDHE-RSA-AES256-GCM-SHA384:!AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM- SHA256'

      In the example, ECDHE-RSA-AES128-GCM-SHA256 is enabled. Thus, ECDHE-RSA-AES256-GCM-SHA384 and AES256-GCM-SHA384 were disabled.

    • To enable a cipher that does not have any preceding ciphers, add the cipher name that you want to enable.
      ssl_cipher_list_append = '<cipher_to_enable>'
      Tip: To separate ciphers, put a colon : after each cipher.
      Example:
      ssl_cipher_list_append = 'ECDHE-RSA-AES256-GCM-SHA384'
  3. Save postgresql.conf and restart the system.
    1. nzstop
    2. nzstart

Disabling ciphers

  1. Go to /nz/data/postgresql.conf.
  2. Edit the ssl_cipher_list_append line by adding an exclamation mark (!) before the cipher name that you want to disable.
    ssl_cipher_list_append = '!cipher'
    Example:
    ssl_cipher_list_append = '!ECDHE-RSA-AES128-GCM-SHA256'
    Tip: Ciphers are separated by a colon (:). To remove multiple ciphers at the same time, put an exclamation mark before each cipher. For example, :
    ssl_cipher_list_append = '!AES128-GCM-SHA256:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-GCM-SHA256'
  3. Save postgresql.conf and restart the system.
    1. nzstop
    2. nzstart