Re: [PATCH] add ssl_protocols configuration option - Mailing list pgsql-hackers

From Dag-Erling Smørgrav
Subject Re: [PATCH] add ssl_protocols configuration option
Date
Msg-id 86zjcock9b.fsf@nine.des.no
Whole thread Raw
In response to Re: [PATCH] add ssl_protocols configuration option  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes:
> As far as protocol version goes, I think our existing coding basically
> says "prefer newest available version, but at least TLS 1.0".  I think
> that's probably a reasonable approach.

The client side forces TLS 1.0:
       SSL_context = SSL_CTX_new(TLSv1_method());

In typical OpenSSL fashion, this does *not* mean 1.0 or higher.  It
means 1.0 exactly.

> If the patch exposed a GUC that set a "minimum" version, rather than
> calling out specific acceptable protocols, it might be less risky.

Not necessarily.  Someone might find a weakness in TLS 1.1 which is not
present in 1.0 because it involves a specific algorithm or mode that 1.0
does not support.

DES
--
Dag-Erling Smørgrav - des@des.no



pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: BUG: *FF WALs under 9.2 (WAS: .ready files appearing on slaves)
Next
From: Dag-Erling Smørgrav
Date:
Subject: Re: [PATCH] add ssl_protocols configuration option