Re: should libpq also require TLSv1.2 by default?

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Magnus Hagander <magnus@hagander.net>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-24T09:01:48Z
Lists: pgsql-hackers
> On 24 Jun 2020, at 10:46, Magnus Hagander <magnus@hagander.net> wrote:

> It might also be worth noting that it's not really "any protocol version", it means it will be "whatever the openssl configuration says", I think? For example, debian buster sets:
> 
> [system_default_sect]
> MinProtocol = TLSv1.2
> 
> Which I believe means that if your libpq app is running on debian buster, it will be min v1.2 already

Correct, that being said I'm not sure how common it is for distributions to set
a default protocol version.  The macOS versions I have handy doesn't enforce a
default version, nor does Ubuntu 20.04, FreeBSD 12 or OpenBSD 6.5 AFAICT.

> (and it would likely be more useful to use ssl_min_protocol_version to *lower* that when connecting to older servers).

That is indeed one use-case for the connection parameter.

cheers ./daniel


Commits

  1. Add hints about protocol-version-related SSL connection failures.

  2. Change libpq's default ssl_min_protocol_version to TLSv1.2.