Re: should libpq also require TLSv1.2 by default?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Magnus Hagander <magnus@hagander.net>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-26T21:27:44Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes: > SSL_R_UNKNOWN_PROTOCOL seem to covers cases when someone manages to perform > something which OpenSSL believes is a broken SSLv2 connection, but their own > client-level code use it to refer to SSL as well as TLS. Maybe it's worth > adding as a belts and suspenders type thing? No objection on my part. > Is this targeting v13 or v14? In case of the former, the release notes entry > for raising the default minimum version should perhaps be tweaked as it now > just refers to the GUC which is a tad misleading. I think Peter is proposing that we change this in v13. I didn't look at the release notes; usually we cover this sort of thing in-bulk when we update the release notes later in beta. > If anything it might useful to document in the comment that we're only > concerned with TLS versions, SSL2/3 are disabled in the library initialization. Good point. regards, tom lane
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed