Re: [PATCH] add ssl_protocols configuration option
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>, Dag-Erling Smørgrav <des@des.no>, Michael Paquier <michael.paquier@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2014-10-19T19:18:41Z
Lists: pgsql-hackers
Magnus Hagander <magnus@hagander.net> writes: > On Sun, Oct 19, 2014 at 6:17 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> And in the end, if we set values like this from PG --- whether >> hard-wired or via a GUC --- the SSL library people will have exactly >> the same perspective with regards to *our* values. And not without >> reason; we were forcing very obsolete settings up till recently, >> because nobody had looked at the issue for a decade. I see no reason >> to expect that that history won't repeat itself. > The best part would be if we could just leave it up to the SSL > library, but at least the openssl one doesn't have an API that lets us > do that, right? We *have* to pick something... As far as protocol version goes, I think our existing coding basically says "prefer newest available version, but at least TLS 1.0". I think that's probably a reasonable approach. If the patch exposed a GUC that set a "minimum" version, rather than calling out specific acceptable protocols, it might be less risky. regards, tom lane