Update minimum SSL version
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-11-29T07:36:00Z
Lists: pgsql-hackers
Attachments
- 0001-Update-minimum-SSL-version.patch (text/plain) patch 0001
I propose to change the default of ssl_min_protocol_version to TLSv1.2 (from TLSv1, which means 1.0). Older versions would still be supported, just not by default. The reason is that TLS 1.0 and 1.1 are either already discouraged or deprecated or will be by the time PostgreSQL 13 comes out. So this move would be in the direction of "secure by default". Specifically, PCI DSS disallows the use of TLS 1.0 and discourages 1.1 [0], and browser vendors are set to disable 1.0 and 1.1 in their products sometime soon [1]. Using TLS 1.2 requires OpenSSL 1.0.1, released in 2012. I find this to be satisfied in CentOS 6 and Debian jessie (oldoldstable), for example. More details also in my recent blog post [2]. [0]: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls [1]: https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ [2]: https://www.2ndquadrant.com/en/blog/setting-ssl-tls-protocol-versions-with-postgresql-12/ -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Fix handling of OpenSSL's SSL_clear_options
- 7ad544fd8e45 11.7 landed
- 902276ff1309 12.2 landed
- 7d0bcb047717 13.0 landed
-
Remove configure check for OpenSSL's SSL_get_current_compression()
- 28f4bba66b57 13.0 landed
-
Update minimum SSL version
- b1abfec82547 13.0 landed