Thread: change TLS version in postgres
Hi
I'm using postgres version 10, may i know how to change the tls version from 1.0 to a higher version?
regards
Yambu <hyambu@gmail.com> writes:
> I'm using postgres version 10, may i know how to change the tls version
> from 1.0 to a higher version?
If you have a new enough OpenSSL library, it should automatically
prefer more recent protocol versions.
If what you're concerned about is actively preventing use of lower
protocol versions, the only way to do that within PG itself is the
ssl_min_protocol_version setting, which exists in v12 and later.
However, you ought to be able to achieve the same effect by
adjusting the system-wide OpenSSL configuration: set
MinProtocol=TLSv1.2 in openssl.cnf (wherever that is on your
machine). You might find your distro already did that, btw.
I am not sure, but it might be possible to use a private openssl
config file if you want to only affect Postgres and not other
daemons on the machine. See the OpenSSL documentation.
regards, tom lane
Thank you Tom
On Mon, Jun 21, 2021 at 12:24 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Yambu <hyambu@gmail.com> writes:
> I'm using postgres version 10, may i know how to change the tls version
> from 1.0 to a higher version?
If you have a new enough OpenSSL library, it should automatically
prefer more recent protocol versions.
If what you're concerned about is actively preventing use of lower
protocol versions, the only way to do that within PG itself is the
ssl_min_protocol_version setting, which exists in v12 and later.
However, you ought to be able to achieve the same effect by
adjusting the system-wide OpenSSL configuration: set
MinProtocol=TLSv1.2 in openssl.cnf (wherever that is on your
machine). You might find your distro already did that, btw.
I am not sure, but it might be possible to use a private openssl
config file if you want to only affect Postgres and not other
daemons on the machine. See the OpenSSL documentation.
regards, tom lane