Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Magnus Hagander <magnus@hagander.net>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-26T20:22:37Z
Lists: pgsql-hackers
Attachments
- ssl-protocol-version-hints-2.patch (text/x-diff) patch
- change-libpq-tls-default.patch (text/x-diff) patch
I wrote: > Anybdy have a better idea? Is there a reasonably direct way to ask > OpenSSL what its min and max versions are? After some digging, there apparently is not. At first glance it would seem that SSL_get_min_proto_version/SSL_get_max_proto_version should help, but in reality they're just blindingly useless, because they return zero in most cases of interest. And when they don't return zero they might give us a code that we don't recognize, so there's no future proofing to be had from using them. Plus they don't exist before openssl 1.1.1. It looks like, when they exist, we could use them to discover any restrictions openssl.cnf has set on the allowed protocol versions ... but I'm not really convinced that's worth the trouble. If we up the libpq default to TLSv1.2 then there probably won't be any real-world cases where openssl.cnf affects our results. So I propose the attached. The hack in openssl.h to guess the min/max supported versions is certainly nothing but a hack; but I see no way to do better. regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed