Setting min/max TLS protocol in clientside libpq

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Setting min/max TLS protocol in clientside libpq
Date: 2019-12-03 17:37:48
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Responding to the recent thread on bumping the default TLS version, I realized
that we don't have a way to set the minimum/maximum TLS protocol version in
clientside libpq. Setting the maximum protocol version obviously not terribly
important (possibly with the exception of misbehaving middle-boxes and
testing), but the minimum version can be quite useful to avoid misbehaving
and/or misconfigured servers etc.

The attached patch implements two new connection string variables for minimum
and maximum TLS protocol version, mimicking how it's done in the backend. This
does duplicate a bit of code from be-secure-openssl.c to cope with older
versions of OpenSSL, but it seemed a too trivial duplication to create
common/openssl.c (but others might disagree).

This can today be achieved by editing the local openssl configuration, but
having an override in libpq to tighten down the connection parameters make it
far easier for the user/application IMO.

cheers ./daniel

Attachment Content-Type Size
libpq_minmaxproto.patch application/octet-stream 11.4 KB


Browse pgsql-hackers by date

  From Date Subject
Next Message David Nedrow 2019-12-03 19:33:14 Re: [PATCH] Addition of JetBrains project directory to .gitignore
Previous Message Tom Lane 2019-12-03 17:12:09 Re: Bogus EXPLAIN results with column aliases for mismatched partitions