Postgres Pro
Downloads
Home   >   mailing lists

Re: should libpq also require TLSv1.2 by default? - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: should libpq also require TLSv1.2 by default?
Date
Msg-id 20200624182210.GC17842@momjian.us
Whole thread Raw
In response to Re: should libpq also require TLSv1.2 by default?  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
List pgsql-hackers
Tree view 
On Wed, Jun 24, 2020 at 07:57:31PM +0200, Peter Eisentraut wrote:
> On 2020-06-24 10:33, Daniel Gustafsson wrote:
> > > In PG13, we raised the server-side default of ssl_min_protocol_version to TLSv1.2.  We also added a connection
settingnamed ssl_min_protocol_version to libpq.  But AFAICT, the default value of the libpq setting is empty, so any
protocolversion will be accepted.  Is this what we wanted?  Should we raise the default in libpq as well?
 
> > 
> > This was discussed [0] when the connection settings were introduced, and the
> > concensus was to leave them alone [1] to allow for example a new pg_dump to
> > work against an old server.  Re-reading the thread I think the argument still
> > holds, but I was about to respond "yes, let's do this" before refreshing my
> > memory.  Perhaps we should add a comment explaining this along the lines of the
> > attached?
> > 
> > [0] https://www.postgresql.org/message-id/157800160408.1198.1714906047977693148.pgcf%40coridan.postgresql.org
> > [1] https://www.postgresql.org/message-id/31993.1578321474%40sss.pgh.pa.us
> 
> ISTM that these discussions went through the same questions and arguments
> that were made regarding the server-side change but arrived at a different
> conclusion.  So I suggest to reconsider this so that we don't ship with
> contradictory results.
> 
> That doesn't necessarily mean that we have to make a change, but we should
> make sure our rationale is sound.
> 
> Note that all OpenSSL versions that do not support TLSv1.2 also do not
> support TLSv1.1.  So by saying, in effect, that TLSv1.2 is too new to
> require, we are saying that we need to keep supporting TLSv1.0 -- which is
> heavily deprecated.  Also note that the first OpenSSL version with support
> for TLSv1.2 shipped on March 14, 2012.

I do think mismatched SSL requirements between client and server is
confusing, though I can see the back-version pg_dump being an issue. 
Maybe a clear error message would help here.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee

pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: Allow CURRENT_ROLE in GRANTED BY
Next
From: Alvaro Herrera
Date:
Subject: Re: Review for GetWALAvailability()