Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Michael Paquier <michael@paquier.xyz>
Cc: Daniel Gustafsson <daniel@yesql.se>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-25T02:50:39Z
Lists: pgsql-hackers
Michael Paquier <michael@paquier.xyz> writes: > On Thu, Jun 25, 2020 at 12:30:03AM +0200, Daniel Gustafsson wrote: >> As mentioned elsewhere in the thread, maybe this is also something which can be >> done more easily if we improve the error reporting? Right now it's fairly >> cryptic IMO. > This part may be tricky to get right I think, because the error comes > directly from OpenSSL when negotiating the protocol used between the > client and the server, like "no protocols available" or such. Can we do something comparable to the backend's HINT protocol, where we add on a comment that's only mostly-likely to be right? regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed