Postgres Pro
Downloads
Home   >   mailing lists

Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1. - Mailing list pgsql-hackers

From Craig Ringer
Subject Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.
Date
Msg-id 52E4DF1E.2030006@2ndquadrant.com
Whole thread Raw
In response to Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.  (Alvaro Herrera <alvherre@2ndquadrant.com>)
List pgsql-hackers
Tree view 
On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
> Stephen Frost escribió:
>> * Noah Misch (noah@leadboat.com) wrote:
>>> +1.  If you can upgrade to 9.4, you can also bring your TLS protocol out of
>>> the iron age.
>>
>> Agreed- this was going to be my 2c.  Anyone w/ an SSL library that old
>> isn't likely to be upgrading to 9.4 of libpq or PG.
> 
> What about people doing SSL connections through JDBC?  As far as I
> understand, these don't use openssl.

That's correct, PgJDBC uses Java's built-in SSL support, which is
provided by the underlying JSSE ("Java Secure Socket Extension") service
in the JVM.

From what I can find, it looks like Java 1.4.2 and newer, including Java
5, appear to support TLS 1.0. I haven't found anything definitive for
1.4.2 yet, but 1.5 certainly supports it.

That's all we need to care about IMO; 1.4.x users are running
unsupported and old PgJDBC versions (we dropped support for 1.4) and
they're generally happy living in the stone age.

So I don't see Java as a barrier here.

----

Finding a good reference on which Java runtimes support which features
is surprisingly hard.

Java 6 supports TLS. It took a bit to confirm that 1.5 does too. 1.4.2
may, but we don't need to care.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

claims:

"The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0
and TLS 1.0"

... but in the table "Default Enabled Cipher Suites" in:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Java 1.4.2 and newer are shown to support by default:

TLS_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA

... and a bunch of SSL_ stuff.

so it looks like TLS support has probably been backpacked to 1.4.2. Java
1.4 is PostgreSQL 7.2 vintage, well into "we don't care, go away" land.

BTW, the JSSE docs also claim that "TLS 1.0 is a modest upgrade to the
most recent version of SSL, version 3.0. The differences between SSL 3.0
and TLS 1.0 are minor".


-- Craig Ringer                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services

pgsql-hackers by date:

Previous
From: Simon Riggs
Date:
Subject: Re: plpgsql.warn_shadow
Next
From: Magnus Hagander
Date:
Subject: Re: Visual Studio 2013 build