Setting min/max TLS protocol in clientside libpq
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2019-12-03T17:37:48Z
Lists: pgsql-hackers
Attachments
- libpq_minmaxproto.patch (application/octet-stream) patch
Responding to the recent thread on bumping the default TLS version, I realized that we don't have a way to set the minimum/maximum TLS protocol version in clientside libpq. Setting the maximum protocol version obviously not terribly important (possibly with the exception of misbehaving middle-boxes and testing), but the minimum version can be quite useful to avoid misbehaving and/or misconfigured servers etc. The attached patch implements two new connection string variables for minimum and maximum TLS protocol version, mimicking how it's done in the backend. This does duplicate a bit of code from be-secure-openssl.c to cope with older versions of OpenSSL, but it seemed a too trivial duplication to create common/openssl.c (but others might disagree). This can today be achieved by editing the local openssl configuration, but having an override in libpq to tighten down the connection parameters make it far easier for the user/application IMO. cheers ./daniel
Commits
-
Rename connection parameters to control min/max SSL protocol version in libpq
- 401aad67045b 13.0 landed
-
Add connection parameters to control SSL protocol min/max in libpq
- ff8ca5fadd81 13.0 landed
-
Move OpenSSL routines for min/max protocol setting to src/common/
- f7cd5896a696 13.0 landed