Re: should libpq also require TLSv1.2 by default?
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Daniel Gustafsson <daniel@yesql.se>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-25T04:41:24Z
Lists: pgsql-hackers
On Wed, Jun 24, 2020 at 10:50:39PM -0400, Tom Lane wrote: > Can we do something comparable to the backend's HINT protocol, where > we add on a comment that's only mostly-likely to be right? OpenSSL publishes its error codes as of openssl/sslerr.h, and it looks like the two error codes we would need to worry about are SSL_R_UNSUPPORTED_PROTOCOL and SSL_R_NO_PROTOCOLS_AVAILABLE. So we could for example amend open_client_SSL() when negotiating the SSL connection in libpq with error messages or hints that help better than the current state of things, but that also means an extra maintenance on our side to make sure that we keep in sync with new error codes coming from the OpenSSL world. -- Michael
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed