Re: [PATCH] add ssl_protocols configuration option - Mailing list pgsql-hackers

From Tom Lane
Subject Re: [PATCH] add ssl_protocols configuration option
Date
Msg-id 9744.1414087869@sss.pgh.pa.us
Whole thread Raw
In response to Re: [PATCH] add ssl_protocols configuration option  (Dag-Erling Smørgrav <des@des.no>)
Responses Re: [PATCH] add ssl_protocols configuration option
List pgsql-hackers
Dag-Erling Smørgrav <des@des.no> writes:
> Alvaro Herrera <alvherre@2ndquadrant.com> writes:
>> OpenSSL 0.9.7 has already not gotten fixes for all the latest flurry of
>> security issues, so anyone *is* using SSL but not at least the 0.9.8
>> branch, they are in trouble.

> The latest 0.9.8 still only has TLS 1.0, unless they're planning to
> backport 1.1 and 1.2 (which I seriously doubt).

The upshot of this conversation still seems to be that we don't need to
do anything.  Unless I'm misunderstanding something:

(1) No currently supported (or even recently supported) version of either
the backend or libpq will select protocol less than TLS 1.0 unless forced
to via (poorly chosen) configuration settings.

(2) Anyone who is feeling paranoid about shutting off SSLv3 despite (1)
can do so via the existing ssl_ciphers GUC parameter.

Seems to me that's sufficient, not only for now but for the future;
existing OpenSSL practice is that the ciphers string includes categories
corresponding to protocol versions, so you can shut off an old
protocol version there if you need to.
        regards, tom lane



pgsql-hackers by date:

Previous
From: Merlin Moncure
Date:
Subject: Re: idea: allow AS label inside ROW constructor
Next
From: Fabrízio de Royes Mello
Date:
Subject: Re: Proposal : REINDEX SCHEMA