PostgreSQL DB server minimum TLS version#
Security · Azure Database for PostgreSQL · Rule · 2020_09 · Critical
PostgreSQL DB servers should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that PostgreSQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2.
Examples#
Configure with Azure template#
To deploy servers that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTLS1_2.
For example:
Azure Template snippet
{
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"createMode": "Default",
"administratorLogin": "[parameters('localAdministrator')]",
"administratorLoginPassword": "[parameters('localAdministratorPassword')]",
"minimalTlsVersion": "TLS1_2",
"sslEnforcement": "Enabled",
"publicNetworkAccess": "Disabled",
"version": "11"
}
}
Configure with Bicep#
To deploy servers that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTLS1_2.
For example:
Azure Bicep snippet
resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
name: name
location: location
properties: {
createMode: 'Default'
administratorLogin: localAdministrator
administratorLoginPassword: localAdministratorPassword
minimalTlsVersion: 'TLS1_2'
sslEnforcement: 'Enabled'
publicNetworkAccess: 'Disabled'
version: '11'
}
}
Notes#
This rule is not applicable to PostgreSQL using the flexible server model.
Links#
- SE:07 Encryption
- TLS enforcement in Azure Database for PostgreSQL Single server
- Set TLS configurations for Azure Database for PostgreSQL - Single server
- Preparing for TLS 1.2 in Microsoft Azure
- Azure deployment reference