Re: Setting min/max TLS protocol in clientside libpq

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, cary huang <hcary328(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Setting min/max TLS protocol in clientside libpq
Date: 2020-01-28 03:53:13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Mon, Jan 27, 2020 at 09:49:09AM +0100, Daniel Gustafsson wrote:
>> On 27 Jan 2020, at 07:01, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> Ok. I prefer to keep the TLS code collected in fe-secure.c, but I don't have
> strong enough opinions to kick up a fuzz.

They are parameter-related, so fe-connect.c made the most sense to me.
The routine checking after the range makes the code more readable IMO
even if we only use it in one place.

>> Hm. I am not sure that having a separate section "Client Protocol
>> Usage" brings much, so I have removed this one, and added an extra
>> sentence for the maximum protocol regarding its value for testing or
>> protocol compatibility.
> I'm not convinced, this forces the reader to know what to look for (the
> connection parameters) rather than being informed. If anything, I think we
> need more explanatory sections in the docs.
>> So, attached is an updated version of the patch that I have spent a
>> couple of hours polishing. What do you think?
> Overall a +1 on this version, thanks for picking it up!

Thanks. I have committed the bulk of the changes. As mentioned
previously, I still have doubts about the value of the new section for
the new protocol usage. Once reworded a bit, I finish with the
attached, and the following paragraph for libpq.sgml:
+ <sect2>
+ <title>Client Protocol Usage</title>
+ <para>
+ When connecting using SSL, the client and server negotiate which protocol
+ to use for the connection. <productname>PostgreSQL</productname> supports
+ <literal>TLSv1</literal>, <literal>TLSv1.1</literal>,
+ <literal>TLSv1.2</literal> and <literal>TLSv1.3</literal>, but the
+ protocols available depend on the version of
+ <productname>OpenSSL</productname> that the client and the backend are
+ using. The minimum requested version can be specified with
+ <literal>sslminprotocolversion</literal>, which will ensure that the
+ connection uses that protocol version or higher. The maximum requested
+ version can be specified with <literal>sslmaxprotocolversion</literal>.
+ </para>
+ </sect2>

Now, we already mention in the docs which values the min and max
bounds support, and that the version of OpenSSL used by the backend
and the frontend are impacted by that depending on what version of
OpenSSL one or the other link to. The remaining piece is that the
client and the server negotiate the protocol they use, which is an
obvious fact, at least to me..

Attachment Content-Type Size
libpq_minmaxproto_doc.patch text/x-diff 1.1 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2020-01-28 04:03:46 Re: TRUNCATE on foreign tables
Previous Message Masahiko Sawada 2020-01-28 03:26:15 Re: [HACKERS] Block level parallel vacuum