Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Michael Paquier <michael@paquier.xyz>,
Daniel Gustafsson <daniel@yesql.se>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-25T19:57:00Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > I wonder how much of a problem this really is. Yeah. I find Robert's points about that pretty persuasive: by now needing to connect to a server without TLSv1.2 support, *and* needing to do so with SSL on, ought to be a tiny niche use case (much smaller than the number of people who would like a more secure default). If we can make the error message about this be reasonably clear then I don't have an objection to changing libpq's default. regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed