Django - postgres: how can I verify whether the database connection is SSL?

Question

My postgres server should be forcing SSL connection however I would like to verify this setting directly from the Django app. Is there a way to inspect the database connection (perhaps through manage.py shell and make sure the connection is SSL?

Ryan Stack · Accepted Answer · 2018-07-18T18:48:31.493

9

You can confirm that the connection is encrypted by looking for the cipher in the connection information after navigating to python manage.py dbshell

SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 
128, compression: off)

otherwise, you will see no SSL information.

edited Jul 18 '18 at 18:48

answered Jul 17 '18 at 13:20

Ryan Stack

1,231
1
12
25

awesome. Elegant and easy. – Jad S Jul 18 '18 at 14:05

score 0 · Answer 2 · answered Jun 08 '18 at 12:49

0

I don't know how to configure that from your Django app, but maybe you could tell postgres to require SSL in the sslmode connection parameter?

answered Jun 08 '18 at 12:49

miravalls

365
1
7

yes that can be configured in the Django DATABASES setting ([answered here](https://stackoverflow.com/questions/47683059/force-ssl-for-django-postgres-connection)). However, that doesn't really tell me if my existing connection is SSL (such as if I have a DB-server-enforced SSL without configuring SSL in Django). However, I think I found a way to do it and I will post. – Jad S Jun 08 '18 at 13:06
@JadS Ok, as I understand it, your solution actually lets you verify if it is using SSL, but it requires a module. IMHO, if you tell your postgres driver that you require SSL, wouldn't it be a bug if it allowed you connect without SSL? Also, this post now links to https://stackoverflow.com/a/47683060/3914029 which tells you specifically how to set that parameter for your Django app. However, I'd mark your answer as solution, as it is what you actually wanted. – miravalls Jun 09 '18 at 12:00

Jad S · Answer 3 · 2018-06-08T13:18:21.560

I believe I found one way, but I will wait before accepting in case people have critiques of this method:

connect to the database server as superuser and run create extension sslinfo; to install the sslinfo extension. This may not be possible for some who don't have superuser access, however in my case where I configured server-side SSL enforcement, SU access is given.
run the following in manage.py shell:

-

from django.db import connection

with connection.cursor() as cursor:
    cursor.execute('select ssl_is_used();')
    output = cursor.fetchall()
    print(output) # will print [(True,)] if SSL

This executes raw SQL which should return [(True,)] if SSL is enabled.

Relevant documentation about sslinfo can be found here

Django - postgres: how can I verify whether the database connection is SSL?

3 Answers3