Re: Setting min/max TLS protocol in clientside libpq

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
Cc: Michael Paquier <michael@paquier.xyz>, cary huang <hcary328@gmail.com>, PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>, Daniel Gustafsson <daniel@yesql.se>
Date: 2020-01-06T14:37:54Z
Lists: pgsql-hackers
Magnus Hagander <magnus@hagander.net> writes:
> Not having thought about it in much detail, but it's a fairly common
> scenario to have a much newer version of libpq (and the platform it's
> built on) than the server. E.g. a v12 libpq against a v9.6 postgres
> server is very common. For example, debian based systems will
> auto-upgrade your libpq, but not your server (for obvious reasons).
> And it's also quite common to upgrade platforms for the application
> much more frequently than the database server platform.

Yeah, there's a reason why we expect pg_dump and psql to function with
ancient server versions.  We shouldn't break this scenario with
careless rejiggering of libpq's connection defaults.

			regards, tom lane



Commits

  1. Rename connection parameters to control min/max SSL protocol version in libpq

  2. Add connection parameters to control SSL protocol min/max in libpq

  3. Move OpenSSL routines for min/max protocol setting to src/common/