Enabling and disabling ciphers
Learn how to enable and disable TLS 1.2 ciphers if you are on Netezza Performance Server 11.2.1.5, 11.2.2.0 or later.
Ciphers order
The following is a list of ciphers ordered by priority (from highest to lowest):
- ECDHE-RSA-AES256-GCM-SHA384
- AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
Note: If you disabled
ECDHE-ECDSA-AES256-GCM-SHA384
or
ECDHE-ECDSA-AES128-GCM-SHA256
, you must revert the certificates that you created as
described in Creating and enabling certificates. If you do not revert the certificates, the
ciphers cannot be disabled.Enabling ciphers
- Open the /nz/data/postgresql.conf file.
- Enable ciphers:
- To enable a cipher that has preceding ciphers, add the cipher name that you want to enable and
add
!
before the ciphers that precede it.ssl_cipher_list_append = '!<preceding_cipher>:!<preceding_cipher>:<cipher_to_enable>'
Tip: To separate ciphers, put a colonExample::
after each cipher.ssl_cipher_list_append = '!ECDHE-RSA-AES256-GCM-SHA384:!AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM- SHA256'
In the example,
ECDHE-RSA-AES128-GCM-SHA256
is enabled. Thus,ECDHE-RSA-AES256-GCM-SHA384
andAES256-GCM-SHA384
were disabled. - To enable a cipher that does not have any preceding ciphers, add the cipher name that you want
to enable.
ssl_cipher_list_append = '<cipher_to_enable>'
Tip: To separate ciphers, put a colonExample::
after each cipher.ssl_cipher_list_append = 'ECDHE-RSA-AES256-GCM-SHA384'
- To enable a cipher that has preceding ciphers, add the cipher name that you want to enable and
add
- Save postgresql.conf and restart the system.
-
nzstop
-
nzstart
-
Disabling ciphers
- Go to /nz/data/postgresql.conf.
- Edit the
ssl_cipher_list_append
line by adding an exclamation mark (!
) before the cipher name that you want to disable.
Example:ssl_cipher_list_append = '!cipher'
ssl_cipher_list_append = '!ECDHE-RSA-AES128-GCM-SHA256'
Tip: Ciphers are separated by a colon (:)
. To remove multiple ciphers at the same time, put an exclamation mark before each cipher. For example, :ssl_cipher_list_append = '!AES128-GCM-SHA256:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-GCM-SHA256'
- Save postgresql.conf and restart the system.
-
nzstop
-
nzstart
-