| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: should libpq also require TLSv1.2 by default? |
| Date: | 2020-06-24 18:22:10 |
| Message-ID: | 20200624182210.GC17842@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jun 24, 2020 at 07:57:31PM +0200, Peter Eisentraut wrote:
> On 2020-06-24 10:33, Daniel Gustafsson wrote:
> > > In PG13, we raised the server-side default of ssl_min_protocol_version to TLSv1.2. We also added a connection setting named ssl_min_protocol_version to libpq. But AFAICT, the default value of the libpq setting is empty, so any protocol version will be accepted. Is this what we wanted? Should we raise the default in libpq as well?
> >
> > This was discussed [0] when the connection settings were introduced, and the
> > concensus was to leave them alone [1] to allow for example a new pg_dump to
> > work against an old server. Re-reading the thread I think the argument still
> > holds, but I was about to respond "yes, let's do this" before refreshing my
> > memory. Perhaps we should add a comment explaining this along the lines of the
> > attached?
> >
> > [0] https://www.postgresql.org/message-id/157800160408.1198.1714906047977693148.pgcf%40coridan.postgresql.org
> > [1] https://www.postgresql.org/message-id/31993.1578321474%40sss.pgh.pa.us
>
> ISTM that these discussions went through the same questions and arguments
> that were made regarding the server-side change but arrived at a different
> conclusion. So I suggest to reconsider this so that we don't ship with
> contradictory results.
>
> That doesn't necessarily mean that we have to make a change, but we should
> make sure our rationale is sound.
>
> Note that all OpenSSL versions that do not support TLSv1.2 also do not
> support TLSv1.1. So by saying, in effect, that TLSv1.2 is too new to
> require, we are saying that we need to keep supporting TLSv1.0 -- which is
> heavily deprecated. Also note that the first OpenSSL version with support
> for TLSv1.2 shipped on March 14, 2012.
I do think mismatched SSL requirements between client and server is
confusing, though I can see the back-version pg_dump being an issue.
Maybe a clear error message would help here.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2020-06-24 18:27:58 | Re: Review for GetWALAvailability() |
| Previous Message | Peter Eisentraut | 2020-06-24 18:21:29 | Re: Allow CURRENT_ROLE in GRANTED BY |