Re: Update minimum SSL version
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Magnus Hagander <magnus@hagander.net>, Daniel Gustafsson <daniel@yesql.se>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-12-02T15:31:40Z
Lists: pgsql-hackers
On Fri, Nov 29, 2019 at 9:44 PM Michael Paquier <michael@paquier.xyz> wrote: > Actually, no, what I am writing here is incorrect. We should make > sure of that the default configuration is correct at initdb time, and > the patch does not do that. I think that would be overkill. There shouldn't be many people who are running with a version of PostgreSQL that is 8 years newer than the version of OpenSSL they are using, and who are also relying on SSL, and even if there are such people, it's a pretty minor configuration change to make it work. However, it would be worth putting in some effort to make sure that we give a good error message if this happens. I'm not sure how practical that is. But there's a big difference between giving an incomprehensible OpenSSL message that says "things aren't working and good luck figuring out why" and giving a message that says something like: ERROR: ssl_min_protocol_version specifies TLSv1.2, but your OpenSSL library does not support protocol versions beyond TLSv1.1 -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
-
Fix handling of OpenSSL's SSL_clear_options
- 7ad544fd8e45 11.7 landed
- 902276ff1309 12.2 landed
- 7d0bcb047717 13.0 landed
-
Remove configure check for OpenSSL's SSL_get_current_compression()
- 28f4bba66b57 13.0 landed
-
Update minimum SSL version
- b1abfec82547 13.0 landed