Re: Setting min/max TLS protocol in clientside libpq

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Magnus Hagander <magnus@hagander.net>, cary huang <hcary328@gmail.com>, PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>, Daniel Gustafsson <daniel@yesql.se>
Date: 2020-01-07T00:51:08Z
Lists: pgsql-hackers
On Mon, Jan 06, 2020 at 09:37:54AM -0500, Tom Lane wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> Not having thought about it in much detail, but it's a fairly common
>> scenario to have a much newer version of libpq (and the platform it's
>> built on) than the server. E.g. a v12 libpq against a v9.6 postgres
>> server is very common. For example, debian based systems will
>> auto-upgrade your libpq, but not your server (for obvious reasons).
>> And it's also quite common to upgrade platforms for the application
>> much more frequently than the database server platform.
> 
> Yeah, there's a reason why we expect pg_dump and psql to function with
> ancient server versions.  We shouldn't break this scenario with
> careless rejiggering of libpq's connection defaults.

Good points.  Let's not do that then.
--
Michael

Commits

  1. Rename connection parameters to control min/max SSL protocol version in libpq

  2. Add connection parameters to control SSL protocol min/max in libpq

  3. Move OpenSSL routines for min/max protocol setting to src/common/