Re: Setting min/max TLS protocol in clientside libpq
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, cary huang <hcary328@gmail.com>, pgsql-hackers@lists.postgresql.org
Date: 2020-01-28T03:53:13Z
Lists: pgsql-hackers
Attachments
- libpq_minmaxproto_doc.patch (text/x-diff) patch
On Mon, Jan 27, 2020 at 09:49:09AM +0100, Daniel Gustafsson wrote: >> On 27 Jan 2020, at 07:01, Michael Paquier <michael@paquier.xyz> wrote: > Ok. I prefer to keep the TLS code collected in fe-secure.c, but I don't have > strong enough opinions to kick up a fuzz. They are parameter-related, so fe-connect.c made the most sense to me. The routine checking after the range makes the code more readable IMO even if we only use it in one place. >> Hm. I am not sure that having a separate section "Client Protocol >> Usage" brings much, so I have removed this one, and added an extra >> sentence for the maximum protocol regarding its value for testing or >> protocol compatibility. > > I'm not convinced, this forces the reader to know what to look for (the > connection parameters) rather than being informed. If anything, I think we > need more explanatory sections in the docs. > >> So, attached is an updated version of the patch that I have spent a >> couple of hours polishing. What do you think? > > Overall a +1 on this version, thanks for picking it up! Thanks. I have committed the bulk of the changes. As mentioned previously, I still have doubts about the value of the new section for the new protocol usage. Once reworded a bit, I finish with the attached, and the following paragraph for libpq.sgml: + <sect2> + <title>Client Protocol Usage</title> + <para> + When connecting using SSL, the client and server negotiate which protocol + to use for the connection. <productname>PostgreSQL</productname> supports + <literal>TLSv1</literal>, <literal>TLSv1.1</literal>, + <literal>TLSv1.2</literal> and <literal>TLSv1.3</literal>, but the + protocols available depend on the version of + <productname>OpenSSL</productname> that the client and the backend are + using. The minimum requested version can be specified with + <literal>sslminprotocolversion</literal>, which will ensure that the + connection uses that protocol version or higher. The maximum requested + version can be specified with <literal>sslmaxprotocolversion</literal>. + </para> + </sect2> Now, we already mention in the docs which values the min and max bounds support, and that the version of OpenSSL used by the backend and the frontend are impacted by that depending on what version of OpenSSL one or the other link to. The remaining piece is that the client and the server negotiate the protocol they use, which is an obvious fact, at least to me.. -- Michael
Commits
-
Rename connection parameters to control min/max SSL protocol version in libpq
- 401aad67045b 13.0 landed
-
Add connection parameters to control SSL protocol min/max in libpq
- ff8ca5fadd81 13.0 landed
-
Move OpenSSL routines for min/max protocol setting to src/common/
- f7cd5896a696 13.0 landed