Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Magnus Hagander <magnus@hagander.net>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-26T13:19:43Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes: >> On 26 Jun 2020, at 00:44, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> BTW, the server-side report of the problem looks like >> LOG: could not accept SSL connection: wrong version number > I can totally see some thinking that it's the psql version at client side which > is referred to and not the TLS protocol version. Perhaps we should add a hint > there as well? Not sure. We can't fix it in the case we're mainly concerned about, namely an out-of-support server version. At the same time, it's certainly true that "version number" is way too under-specified in this context. Maybe improving this against the day that TLSv2 exists would be smart. regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed