Re: should libpq also require TLSv1.2 by default? - Mailing list pgsql-hackers

From Tom Lane
Subject Re: should libpq also require TLSv1.2 by default?
Date
Msg-id 142460.1593276921@sss.pgh.pa.us
Whole thread Raw
In response to Re: should libpq also require TLSv1.2 by default?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
I wrote:
> Daniel Gustafsson <daniel@yesql.se> writes:
>> SSL_R_UNKNOWN_PROTOCOL seem to covers cases when someone manages to perform
>> something which OpenSSL believes is a broken SSLv2 connection, but their own
>> client-level code use it to refer to SSL as well as TLS.  Maybe it's worth
>> adding as a belts and suspenders type thing?

> No objection on my part.

>> If anything it might useful to document in the comment that we're only
>> concerned with TLS versions, SSL2/3 are disabled in the library initialization.

> Good point.

Pushed with those corrections.  I also rewrote the comment about which
error codes we'd seen in practice, after realizing that one of my tests
had been affected by the presence of "MinProtocol = TLSv1.2" in
RHEL8's openssl.cnf (causing a max setting less than that to be a local
configuration error, not something the server had rejected).

            regards, tom lane



pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Fwd: PostgreSQL: WolfSSL support
Next
From: Erik Rijkers
Date:
Subject: compile error master SSL_R_VERSION_TOO_HIGH: