Re: Update minimum SSL version
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Cc: Michael Paquier <michael@paquier.xyz>,
Magnus Hagander <magnus@hagander.net>, Daniel Gustafsson <daniel@yesql.se>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-12-04T07:52:14Z
Lists: pgsql-hackers
On 2019-12-02 17:39, Tom Lane wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> ... However, it would be worth putting in some >> effort to make sure that we give a good error message if this happens. > > That's an excellent point, but it looks like we're pretty good > already. I tried the patch with openssl 0.9.8x, and got this > failure at server start: > > FATAL: ssl_min_protocol_version setting TLSv1.2 not supported by this build That's the easy part, since it's under our control. The other situation is if you connect with an old library to a newer server that has the raised ssl_min_protocol_version setting. Then you get something like this: psql: SSL error: tlsv1 alert protocol version and on the server: LOG: could not accept SSL connection: unsupported protocol Not great, but usable. (What actually happens due to the default of PGSSLMODE=prefer is that psql/libpq will have the SSL connection attempt rejected and will connect using a non-SSL connection.) -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Fix handling of OpenSSL's SSL_clear_options
- 7ad544fd8e45 11.7 landed
- 902276ff1309 12.2 landed
- 7d0bcb047717 13.0 landed
-
Remove configure check for OpenSSL's SSL_get_current_compression()
- 28f4bba66b57 13.0 landed
-
Update minimum SSL version
- b1abfec82547 13.0 landed