PostgreSQL DB server minimum TLS version
March 21, 2025 ยท View on GitHub
SYNOPSIS
PostgreSQL DB servers should reject TLS versions older than 1.2.
DESCRIPTION
The minimum version of TLS that PostgreSQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
RECOMMENDATION
Consider configuring the minimum supported TLS version to be 1.2.
EXAMPLES
Configure with Azure template
To deploy servers that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTLS1_2.
For example:
{
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"createMode": "Default",
"administratorLogin": "[parameters('localAdministrator')]",
"administratorLoginPassword": "[parameters('localAdministratorPassword')]",
"minimalTlsVersion": "TLS1_2",
"sslEnforcement": "Enabled",
"publicNetworkAccess": "Disabled",
"version": "11"
}
}
Configure with Bicep
To deploy servers that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTLS1_2.
For example:
resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
name: name
location: location
properties: {
createMode: 'Default'
administratorLogin: localAdministrator
administratorLoginPassword: localAdministratorPassword
minimalTlsVersion: 'TLS1_2'
sslEnforcement: 'Enabled'
publicNetworkAccess: 'Disabled'
version: '11'
}
}
NOTES
This rule is not applicable to PostgreSQL using the flexible server model.