Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Magnus Hagander <magnus@hagander.net>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-26T15:36:42Z
Lists: pgsql-hackers
Attachments
- ssl-protocol-version-hints-1.patch (text/x-diff) patch
Here is a quick attempt at getting libpq and the server to report suitable hint messages about SSL version problems. The main thing I don't like about this as formulated is that I hard-wired knowledge of the minimum and maximum SSL versions into the hint messages. That's clearly not very maintainable, but it seems really hard to keep the messages readable/useful without giving concrete version numbers. Anybdy have a better idea? Is there a reasonably direct way to ask OpenSSL what its min and max versions are? regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed