Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1. - Mailing list pgsql-hackers

From Noah Misch
Subject Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.
Date
Msg-id 20140125164622.GA2068233@tornado.leadboat.com
Whole thread Raw
In response to Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.
List pgsql-hackers
On Sat, Jan 25, 2014 at 11:24:19AM -0500, Tom Lane wrote:
> Noah Misch <noah@leadboat.com> writes:
> > libpq: Support TLS versions beyond TLSv1.
> 
> > Per report from Jeffrey Walton, libpq has been accepting only TLSv1
> > exactly.  Along the lines of the backend code, libpq will now support
> > new versions as OpenSSL adds them.
> 
> This patch seems fishy.  The commit comment claims that it makes libpq
> consistent with the backend, but it doesn't: in the backend, we use
> SSLv23_method() but then set only the option SSL_OP_NO_SSLv2.  With the
> patch, libpq now also sets the option SSL_OP_NO_SSLv3, which I assume
> means that we just disabled SSL v3 protocol.  Did we actually want to
> do that?  If so, why wasn't this patch advertised as doing that, and
> why wasn't the backend also made to reject SSL v3?

The backend allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2.  Before the patch, libpq
allowed TLSv1 only.  Since the patch, libpq allows TLSv1, TLSv1.1 and TLSv1.2.
I did twitch a bit over leaving them non-identical.  However, disabling SSLv3
in the backend would be a separate discussion due to the compatibility break.
I also didn't see the point of initiating SSLv3 support in libpq when it has
been disabled so long without complaint.

-- 
Noah Misch
EnterpriseDB                                 http://www.enterprisedb.com



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: [PATCH] Negative Transition Aggregate Functions (WIP)
Next
From: Dimitri Fontaine
Date:
Subject: Re: extension_control_path