Re: should libpq also require TLSv1.2 by default?
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Magnus Hagander <magnus@hagander.net>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2020-06-26T12:33:04Z
Lists: pgsql-hackers
> On 26 Jun 2020, at 00:44, Tom Lane <tgl@sss.pgh.pa.us> wrote: > My feeling now is that we'd be better off defaulting > ssl_min_protocol_version to something nonempty, just to make this > behavior platform-independent. We certainly can't leave the docs > as they are. Yeah, given the concensus in this thread and your findings I think we should default to TLSv1.2 as originally proposed. I still think there will be instances of existing connections to old servers that will all of a sudden break, but it's probably true that it's not a common setup. Optimizing for the majority and helping the minority with documentation is IMO the winning move. > Also, I confirm that the failure looks like > > $ psql -h ... -d "dbname=postgres sslmode=require" > psql: error: could not connect to server: SSL error: unsupported protocol > > While that's not *that* awful, if you realize that "protocol" means > TLS version, many people probably won't without a hint. It does not > help any that the message doesn't mention either the offered TLS version > or the version limits being enforced. I'm not sure we can do anything > about the former, but reducing the number of variables affecting the > latter seems like a smart idea. +1 > BTW, the server-side report of the problem looks like > > LOG: could not accept SSL connection: wrong version number I can totally see some thinking that it's the psql version at client side which is referred to and not the TLS protocol version. Perhaps we should add a hint there as well? cheers ./daniel
Commits
-
Add hints about protocol-version-related SSL connection failures.
- e2bcd99be18c 13.0 landed
- b63dd3d88f47 14.0 landed
-
Change libpq's default ssl_min_protocol_version to TLSv1.2.
- 6e682f61a5bd 14.0 landed
- 16412c78403e 13.0 landed