Re: should libpq also require TLSv1.2 by default?
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-24T08:46:17Z
Lists: pgsql-hackers
On Wed, Jun 24, 2020 at 10:33 AM Daniel Gustafsson <daniel@yesql.se> wrote: > > On 24 Jun 2020, at 08:39, Peter Eisentraut < > peter.eisentraut@2ndquadrant.com> wrote: > > > > In PG13, we raised the server-side default of ssl_min_protocol_version > to TLSv1.2. We also added a connection setting named > ssl_min_protocol_version to libpq. But AFAICT, the default value of the > libpq setting is empty, so any protocol version will be accepted. Is this > what we wanted? Should we raise the default in libpq as well? > > This was discussed [0] when the connection settings were introduced, and > the > concensus was to leave them alone [1] to allow for example a new pg_dump to > work against an old server. Re-reading the thread I think the argument > still > holds, but I was about to respond "yes, let's do this" before refreshing my > memory. Perhaps we should add a comment explaining this along the lines > of the > attached? > > Another argument for not changing the default is that if you want to use SSL in any meaningful way you have to *already* change the connection string (with sslmode=require or verify-*), so it's not unreasonable to make that consideration at the same time. It might also be worth noting that it's not really "any protocol version", it means it will be "whatever the openssl configuration says", I think? For example, debian buster sets: [system_default_sect] MinProtocol = TLSv1.2 Which I believe means that if your libpq app is running on debian buster, it will be min v1.2 already (and it would likely be more useful to use ssl_min_protocol_version to *lower* that when connecting to older servers). //Magnus
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed