Re: settings to control SSL/TLS protocol version
David Fetter <david@fetter.org>
From: David Fetter <david@fetter.org>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2018-11-05T20:53:08Z
Lists: pgsql-hackers
On Mon, Nov 05, 2018 at 03:01:58PM -0500, Robert Haas wrote: > On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut > <peter.eisentraut@2ndquadrant.com> wrote: > > There have been some requests to be able to select the TLS versions > > PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3 > > are disabled, but there is also some interest now in disabling TLSv1.0 > > and TLSv1.1. Also, I've had some issues in some combinations with the > > new TLSv1.3, so there is perhaps also some use for disabling at the top end. > > > > Attached is a patch that implements this. For example: > > > > ssl_min_protocol_version = 'TLSv1' > > ssl_max_protocol_version = 'any' > > +1. Maybe it would make sense to spell 'any' as the empty string. > Intuitively, it makes more sense to me to think about there being no > maximum than to think about the maximum being anything. ..and now, I'm finally beginning to see the reasoning that led Oracle to conflate NULL and empty string. Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Commits
-
Add settings to control SSL/TLS protocol version
- e73e67c71959 12.0 landed