Home > mailing lists

Re: should libpq also require TLSv1.2 by default? - Mailing list pgsql-hackers

From	Daniel Gustafsson
Subject	Re: should libpq also require TLSv1.2 by default?
Date	June 24, 2020 12:01:48
Msg-id	DF11E406-A9AB-43A6-9B0E-5291644CC16F@yesql.se Whole thread Raw
In response to	Re: should libpq also require TLSv1.2 by default? (Magnus Hagander <magnus@hagander.net>)
Responses	Re: should libpq also require TLSv1.2 by default? (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

> On 24 Jun 2020, at 10:46, Magnus Hagander <magnus@hagander.net> wrote:

> It might also be worth noting that it's not really "any protocol version", it means it will be "whatever the openssl
configurationsays", I think? For example, debian buster sets: 
>
> [system_default_sect]
> MinProtocol = TLSv1.2
>
> Which I believe means that if your libpq app is running on debian buster, it will be min v1.2 already

Correct, that being said I'm not sure how common it is for distributions to set
a default protocol version.  The macOS versions I have handy doesn't enforce a
default version, nor does Ubuntu 20.04, FreeBSD 12 or OpenBSD 6.5 AFAICT.

> (and it would likely be more useful to use ssl_min_protocol_version to *lower* that when connecting to older
servers).

That is indeed one use-case for the connection parameter.

cheers ./daniel

pgsql-hackers by date:

From: Michael Paquier
Date: 24 June 2020, 12:00:23
Subject: Re: Removal of currtid()/currtid2() and some table AM cleanup

From: ROS Didier
Date: 24 June 2020, 12:05:30
Subject: PostgreSQL and big data - FDW

Re: should libpq also require TLSv1.2 by default? - Mailing list pgsql-hackers

Previous

Next