| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: should libpq also require TLSv1.2 by default? |
| Date: | 2020-06-26 20:22:37 |
| Message-ID: | 29049.1593202957@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I wrote:
> Anybdy have a better idea? Is there a reasonably direct way to ask
> OpenSSL what its min and max versions are?
After some digging, there apparently is not. At first glance it would
seem that SSL_get_min_proto_version/SSL_get_max_proto_version should
help, but in reality they're just blindingly useless, because they
return zero in most cases of interest. And when they don't return zero
they might give us a code that we don't recognize, so there's no future
proofing to be had from using them. Plus they don't exist before
openssl 1.1.1.
It looks like, when they exist, we could use them to discover any
restrictions openssl.cnf has set on the allowed protocol versions ...
but I'm not really convinced that's worth the trouble. If we up the
libpq default to TLSv1.2 then there probably won't be any real-world
cases where openssl.cnf affects our results.
So I propose the attached. The hack in openssl.h to guess the
min/max supported versions is certainly nothing but a hack;
but I see no way to do better.
regards, tom lane
| Attachment | Content-Type | Size |
|---|---|---|
| ssl-protocol-version-hints-2.patch | text/x-diff | 6.1 KB |
| change-libpq-tls-default.patch | text/x-diff | 1.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2020-06-26 20:23:26 | Re: PG 13 release notes, first draft |
| Previous Message | Alvaro Herrera | 2020-06-26 20:20:36 | Re: PG 13 release notes, first draft |