| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Setting min/max TLS protocol in clientside libpq |
| Date: | 2019-12-03 17:37:48 |
| Message-ID: | 4F246AE3-A7AE-471E-BD3D-C799D3748E03@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Responding to the recent thread on bumping the default TLS version, I realized
that we don't have a way to set the minimum/maximum TLS protocol version in
clientside libpq. Setting the maximum protocol version obviously not terribly
important (possibly with the exception of misbehaving middle-boxes and
testing), but the minimum version can be quite useful to avoid misbehaving
and/or misconfigured servers etc.
The attached patch implements two new connection string variables for minimum
and maximum TLS protocol version, mimicking how it's done in the backend. This
does duplicate a bit of code from be-secure-openssl.c to cope with older
versions of OpenSSL, but it seemed a too trivial duplication to create
common/openssl.c (but others might disagree).
This can today be achieved by editing the local openssl configuration, but
having an override in libpq to tighten down the connection parameters make it
far easier for the user/application IMO.
cheers ./daniel
| Attachment | Content-Type | Size |
|---|---|---|
| libpq_minmaxproto.patch | application/octet-stream | 11.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Nedrow | 2019-12-03 19:33:14 | Re: [PATCH] Addition of JetBrains project directory to .gitignore |
| Previous Message | Tom Lane | 2019-12-03 17:12:09 | Re: Bogus EXPLAIN results with column aliases for mismatched partitions |