Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Magnus Hagander <magnus@hagander.net>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-27T16:55:21Z
Lists: pgsql-hackers
I wrote: > Daniel Gustafsson <daniel@yesql.se> writes: >> SSL_R_UNKNOWN_PROTOCOL seem to covers cases when someone manages to perform >> something which OpenSSL believes is a broken SSLv2 connection, but their own >> client-level code use it to refer to SSL as well as TLS. Maybe it's worth >> adding as a belts and suspenders type thing? > No objection on my part. >> If anything it might useful to document in the comment that we're only >> concerned with TLS versions, SSL2/3 are disabled in the library initialization. > Good point. Pushed with those corrections. I also rewrote the comment about which error codes we'd seen in practice, after realizing that one of my tests had been affected by the presence of "MinProtocol = TLSv1.2" in RHEL8's openssl.cnf (causing a max setting less than that to be a local configuration error, not something the server had rejected). regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed