Re: [PATCH] add ssl_protocols configuration option
Dag-Erling Smørgrav <des@des.no>
From: Dag-Erling Smørgrav <des@des.no>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>,
Martijn van Oosterhout <kleptog@svana.org>,
Magnus Hagander <magnus@hagander.net>,
Michael Paquier <michael.paquier@gmail.com>,
PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2014-10-23T18:56:49Z
Lists: pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes: > Anyone who is feeling paranoid about shutting off SSLv3 despite (1) > can do so via the existing ssl_ciphers GUC parameter [...] the ciphers > string includes categories corresponding to protocol versions, so you > can shut off an old protocol version there if you need to. The overlap between SSL 3.0 and TLS 1.0 is 100%: % openssl ciphers SSLv2 | md5 fe5ff23432f119364a1126ca0776c5db % openssl ciphers SSLv3 | md5 bde4e4a10b9c3f323c0632ad067e293a % openssl ciphers TLSv1 | md5 bde4e4a10b9c3f323c0632ad067e293a % openssl ciphers TLSv1.2 | md5 26c375b6bdefb018b9dd7df463658320 Thus, if you disable all SSL 3.0 ciphers, you also disable TLS 1.0. DES -- Dag-Erling Smørgrav - des@des.no