Re: [PATCH] add ssl_protocols configuration option

Dag-Erling Smørgrav <des@des.no>

From: Dag-Erling Smørgrav <des@des.no>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>, Martijn van Oosterhout <kleptog@svana.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael.paquier@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2014-10-23T18:56:49Z
Lists: pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes:
> Anyone who is feeling paranoid about shutting off SSLv3 despite (1)
> can do so via the existing ssl_ciphers GUC parameter [...] the ciphers
> string includes categories corresponding to protocol versions, so you
> can shut off an old protocol version there if you need to.

The overlap between SSL 3.0 and TLS 1.0 is 100%:

% openssl ciphers SSLv2 | md5  
fe5ff23432f119364a1126ca0776c5db
% openssl ciphers SSLv3 | md5 
bde4e4a10b9c3f323c0632ad067e293a
% openssl ciphers TLSv1 | md5
bde4e4a10b9c3f323c0632ad067e293a
% openssl ciphers TLSv1.2 | md5
26c375b6bdefb018b9dd7df463658320

Thus, if you disable all SSL 3.0 ciphers, you also disable TLS 1.0.

DES
-- 
Dag-Erling Smørgrav - des@des.no