Re: Update minimum SSL version

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Cc: Michael Paquier <michael@paquier.xyz>, Magnus Hagander <magnus@hagander.net>, Daniel Gustafsson <daniel@yesql.se>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-12-04T07:52:14Z
Lists: pgsql-hackers
On 2019-12-02 17:39, Tom Lane wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> ... However, it would be worth putting in some
>> effort to make sure that we give a good error message if this happens.
> 
> That's an excellent point, but it looks like we're pretty good
> already.  I tried the patch with openssl 0.9.8x, and got this
> failure at server start:
> 
> FATAL:  ssl_min_protocol_version setting TLSv1.2 not supported by this build

That's the easy part, since it's under our control.  The other situation 
is if you connect with an old library to a newer server that has the 
raised ssl_min_protocol_version setting.  Then you get something like this:

psql: SSL error: tlsv1 alert protocol version

and on the server:

LOG:  could not accept SSL connection: unsupported protocol

Not great, but usable.

(What actually happens due to the default of PGSSLMODE=prefer is that 
psql/libpq will have the SSL connection attempt rejected and will 
connect using a non-SSL connection.)

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Commits

  1. Fix handling of OpenSSL's SSL_clear_options

  2. Remove configure check for OpenSSL's SSL_get_current_compression()

  3. Update minimum SSL version