Home > mailing lists

Re: [PATCH] add ssl_protocols configuration option - Mailing list pgsql-hackers

From	Dag-Erling Smørgrav
Subject	Re: [PATCH] add ssl_protocols configuration option
Date	October 23, 2014 21:57:09
Msg-id	86vbnazkb2.fsf@nine.des.no Whole thread Raw
In response to	Re: [PATCH] add ssl_protocols configuration option (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

Tom Lane <tgl@sss.pgh.pa.us> writes:
> Anyone who is feeling paranoid about shutting off SSLv3 despite (1)
> can do so via the existing ssl_ciphers GUC parameter [...] the ciphers
> string includes categories corresponding to protocol versions, so you
> can shut off an old protocol version there if you need to.

The overlap between SSL 3.0 and TLS 1.0 is 100%:

% openssl ciphers SSLv2 | md5
fe5ff23432f119364a1126ca0776c5db
% openssl ciphers SSLv3 | md5
bde4e4a10b9c3f323c0632ad067e293a
% openssl ciphers TLSv1 | md5
bde4e4a10b9c3f323c0632ad067e293a
% openssl ciphers TLSv1.2 | md5
26c375b6bdefb018b9dd7df463658320

Thus, if you disable all SSL 3.0 ciphers, you also disable TLS 1.0.

DES
--
Dag-Erling Smørgrav - des@des.no

pgsql-hackers by date:

From: Florian Pflug
Date: 23 October 2014, 21:41:58
Subject: Re: Question about RI checks

From: Robert Haas
Date: 23 October 2014, 22:22:08
Subject: Re: [Windows,PATCH] Use faster, higher precision timer API

Re: [PATCH] add ssl_protocols configuration option - Mailing list pgsql-hackers

Previous

Next