Update minimum SSL version

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-11-29T07:36:00Z
Lists: pgsql-hackers

Attachments

I propose to change the default of ssl_min_protocol_version to TLSv1.2 
(from TLSv1, which means 1.0).  Older versions would still be supported, 
just not by default.

The reason is that TLS 1.0 and 1.1 are either already discouraged or 
deprecated or will be by the time PostgreSQL 13 comes out.  So this move 
would be in the direction of "secure by default".  Specifically, PCI DSS 
disallows the use of TLS 1.0 and discourages 1.1 [0], and browser 
vendors are set to disable 1.0 and 1.1 in their products sometime soon [1].

Using TLS 1.2 requires OpenSSL 1.0.1, released in 2012.  I find this to 
be satisfied in CentOS 6 and Debian jessie (oldoldstable), for example.

More details also in my recent blog post [2].


[0]: 
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
[1]: 
https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/
[2]: 
https://www.2ndquadrant.com/en/blog/setting-ssl-tls-protocol-versions-with-postgresql-12/

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Commits

  1. Fix handling of OpenSSL's SSL_clear_options

  2. Remove configure check for OpenSSL's SSL_get_current_compression()

  3. Update minimum SSL version