Re: Update minimum SSL version
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Michael Paquier <michael@paquier.xyz>
Cc: Magnus Hagander <magnus@hagander.net>,
Daniel Gustafsson <daniel@yesql.se>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-11-30T03:06:54Z
Lists: pgsql-hackers
Michael Paquier <michael@paquier.xyz> writes: > On Fri, Nov 29, 2019 at 10:30:47AM -0500, Tom Lane wrote: >> What's the impact going to be on buildfarm members with older openssl >> installations? Perhaps "none", if they aren't running the ssl test >> suite, but we should be clear about it. > Actually, no, what I am writing here is incorrect. We should make > sure of that the default configuration is correct at initdb time, and > the patch does not do that. Yeah, that's sort of what I was getting at, but not quite. On newer openssl versions, this doesn't seem like it's really changing anything at all --- AFAIK, the client and server will already negotiate the highest jointly-supported TLS version. OTOH, with an openssl version old enough to not understand TLS >= 1.2, this change likewise won't do anything, except break configurations that used to work (for some not-too-secure value of "work"). I think the real question we have to answer is this: are we intent on making people upgrade ancient openssl installations? If so, shouldn't we be doing something even more aggressive than this? If not, wouldn't the patch need to try to autoconfigure the minimum TLS version? As proposed, the patch seems to be somewhere in a passive-aggressive middle ground of being annoying without really enforcing anything. So I don't quite see the point. regards, tom lane
Commits
-
Fix handling of OpenSSL's SSL_clear_options
- 7ad544fd8e45 11.7 landed
- 902276ff1309 12.2 landed
- 7d0bcb047717 13.0 landed
-
Remove configure check for OpenSSL's SSL_get_current_compression()
- 28f4bba66b57 13.0 landed
-
Update minimum SSL version
- b1abfec82547 13.0 landed