Setting min/max TLS protocol in clientside libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2019-12-03T17:37:48Z
Lists: pgsql-hackers

Attachments

Responding to the recent thread on bumping the default TLS version, I realized
that we don't have a way to set the minimum/maximum TLS protocol version in
clientside libpq.  Setting the maximum protocol version obviously not terribly
important (possibly with the exception of misbehaving middle-boxes and
testing), but the minimum version can be quite useful to avoid misbehaving
and/or misconfigured servers etc.

The attached patch implements two new connection string variables for minimum
and maximum TLS protocol version, mimicking how it's done in the backend.  This
does duplicate a bit of code from be-secure-openssl.c to cope with older
versions of OpenSSL, but it seemed a too trivial duplication to create
common/openssl.c (but others might disagree).

This can today be achieved by editing the local openssl configuration, but
having an override in libpq to tighten down the connection parameters make it
far easier for the user/application IMO.

cheers ./daniel

Commits

  1. Rename connection parameters to control min/max SSL protocol version in libpq

  2. Add connection parameters to control SSL protocol min/max in libpq

  3. Move OpenSSL routines for min/max protocol setting to src/common/