Re: [PATCH] add ssl_protocols configuration option

Dag-Erling Smørgrav <des@des.no>

From: Dag-Erling Smørgrav <des@des.no>
To: Martijn van Oosterhout <kleptog@svana.org>
Cc: Magnus Hagander <magnus@hagander.net>, Tom Lane <tgl@sss.pgh.pa.us>, Alvaro Herrera <alvherre@2ndquadrant.com>, Michael Paquier <michael.paquier@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2014-10-23T07:30:24Z
Lists: pgsql-hackers
Martijn van Oosterhout <kleptog@svana.org> writes:
> Dag-Erling Smørgrav <des@des.no> writes:
> > Martijn van Oosterhout <kleptog@svana.org> writes:
> > > Since you can already specify the cipher list, couldn't you just
> > > add -SSLv3 to the cipher list and be done?
> > I didn't want to change the existing behavior; all I wanted was to
> > give users a way to do so if they wish.
> I think we should just disable SSL3.0 altogether. The only way this
> could cause problems is if people are using PostgreSQL with an OpenSSL
> library from last century.  As for client libraries, even Windows XP
> supports TLS1.0.

As far as I'm concerned (i.e. as far as FreeBSD and the University of
Oslo are concerned), I couldn't care less about anything older than
0.9.8, which is what FreeBSD 8 and RHEL5 have, but I don't feel
comfortable making that decision for other people.  On the gripping
hand, no currently supported version of libpq uses anything older than
TLS; 9.0 through 9.3 use TLS 1.0 only while 9.4 uses TLS 1.0 or higher.

DES
-- 
Dag-Erling Smørgrav - des@des.no