Re: settings to control SSL/TLS protocol version
Steve Singer <steve@ssinger.info>
From: Steve Singer <steve@ssinger.info>
To: pgsql-hackers@lists.postgresql.org
Cc: Peter Eisentraut <peter_e@gmx.net>
Date: 2018-11-04T03:24:09Z
Lists: pgsql-hackers
The following review has been posted through the commitfest application: make installcheck-world: tested, passed Implements feature: tested, passed Spec compliant: not tested Documentation: tested, passed I've reviewed the patch and here are my comments. The feature seems useful a lot of application servers are implementing minimal TLS protocol versions. I don't see a way to restrict libpq to only connect with certain protocol versions. Maybe that is a separate patch but it would make this feature harder to test in the future. I tested with a server configured to via the options to only TLS1.3 and clients without TLSv1.3 support and confirmed that I couldn't connect with SSL. This is fine I tested with options to restrict the max version to TLSv1 and verified that the clients connected with TLSv1. This is fine I tested with a min protocol version greater than the max. The server started up (Do we want this to be an warning on startup?) but I wasn't able to connect with SSL. The following was in the server log could not accept SSL connection: unknown protocol I tested with a max protocol version set to any. This is fine. I tested putting TLSv1.3 in the config file when my openssl library did not support 1.3. This is fine. I am updating the patch status to ready for committer. The new status of this patch is: Ready for Committer
Commits
-
Add settings to control SSL/TLS protocol version
- e73e67c71959 12.0 landed