Re: Setting min/max TLS protocol in clientside libpq - Mailing list pgsql-hackers

From Michael Paquier
Subject Re: Setting min/max TLS protocol in clientside libpq
Date
Msg-id 20200128035313.GB1552@paquier.xyz
Whole thread Raw
In response to Re: Setting min/max TLS protocol in clientside libpq  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Setting min/max TLS protocol in clientside libpq
List pgsql-hackers
On Mon, Jan 27, 2020 at 09:49:09AM +0100, Daniel Gustafsson wrote:
>> On 27 Jan 2020, at 07:01, Michael Paquier <michael@paquier.xyz> wrote:
> Ok.  I prefer to keep the TLS code collected in fe-secure.c, but I don't have
> strong enough opinions to kick up a fuzz.

They are parameter-related, so fe-connect.c made the most sense to me.
The routine checking after the range makes the code more readable IMO
even if we only use it in one place.

>> Hm.  I am not sure that having a separate section "Client Protocol
>> Usage" brings much, so I have removed this one, and added an extra
>> sentence for the maximum protocol regarding its value for testing or
>> protocol compatibility.
>
> I'm not convinced, this forces the reader to know what to look for (the
> connection parameters) rather than being informed.  If anything, I think we
> need more explanatory sections in the docs.
>
>> So, attached is an updated version of the patch that I have spent a
>> couple of hours polishing.  What do you think?
>
> Overall a +1 on this version, thanks for picking it up!

Thanks.  I have committed the bulk of the changes.  As mentioned
previously, I still have doubts about the value of the new section for
the new protocol usage.  Once reworded a bit, I finish with the
attached, and the following paragraph for libpq.sgml:
+ <sect2>
+  <title>Client Protocol Usage</title>
+  <para>
+   When connecting using SSL, the client and server negotiate which protocol
+   to use for the connection. <productname>PostgreSQL</productname> supports
+   <literal>TLSv1</literal>, <literal>TLSv1.1</literal>,
+   <literal>TLSv1.2</literal> and <literal>TLSv1.3</literal>, but the
+   protocols available depend on the version of
+   <productname>OpenSSL</productname> that the client and the backend are
+   using. The minimum requested version can be specified with
+   <literal>sslminprotocolversion</literal>, which will ensure that the
+   connection uses that protocol version or higher. The maximum requested
+   version can be specified with <literal>sslmaxprotocolversion</literal>.
+  </para>
+ </sect2>

Now, we already mention in the docs which values the min and max
bounds support, and that the version of OpenSSL used by the backend
and the frontend are impacted by that depending on what version of
OpenSSL one or the other link to.  The remaining piece is that the
client and the server negotiate the protocol they use, which is an
obvious fact, at least to me..
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: Masahiko Sawada
Date:
Subject: Re: [HACKERS] Block level parallel vacuum
Next
From: Michael Paquier
Date:
Subject: Re: TRUNCATE on foreign tables