Home > mailing lists

Re: settings to control SSL/TLS protocol version - Mailing list pgsql-hackers

From	Peter Eisentraut
Subject	Re: settings to control SSL/TLS protocol version
Date	October 2, 2018 18:23:06
Msg-id	0a4c4605-923f-690f-f8b0-b6b185ebcf04@2ndquadrant.com Whole thread Raw
In response to	Re: settings to control SSL/TLS protocol version (Daniel Gustafsson <daniel@yesql.se>)
Responses	Re: settings to control SSL/TLS protocol version (Daniel Gustafsson <daniel@yesql.se>)
List	pgsql-hackers

Tree view

On 01/10/2018 23:30, Daniel Gustafsson wrote:
>>    ssl_min_protocol_version = 'TLSv1'
>>    ssl_max_protocol_version = ‘any'
> 
> I don’t think ‘any’ is a clear name for a setting which means “the highest
> supported version”.  How about ‘max_supported’ or something similar?

I can see the argument for an alternative, but your suggestion is a
mouthful.

> +1 for using a min/max approach for setting the version, and it should be
> trivial to add support for in the pending GnuTLS and Secure Transport patches.

AFAICT, in GnuTLS this is done via the "priorities" setting that also
sets the ciphers.  There is no separate API for just the TLS version.
It would be interesting to see how Secure Transport can do it.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

pgsql-hackers by date:

From: Andrew Dunstan
Date: 02 October 2018, 18:21:30
Subject: Re: pg_ls_tmpdir()

From: Daniel Gustafsson
Date: 02 October 2018, 18:29:14
Subject: Re: settings to control SSL/TLS protocol version

Re: settings to control SSL/TLS protocol version - Mailing list pgsql-hackers

Previous

Next