| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: should libpq also require TLSv1.2 by default? |
| Date: | 2020-06-24 08:33:22 |
| Message-ID: | 4FBC50DB-599A-42AA-90C8-3051E3A748BB@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 24 Jun 2020, at 08:39, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
>
> In PG13, we raised the server-side default of ssl_min_protocol_version to TLSv1.2. We also added a connection setting named ssl_min_protocol_version to libpq. But AFAICT, the default value of the libpq setting is empty, so any protocol version will be accepted. Is this what we wanted? Should we raise the default in libpq as well?
This was discussed [0] when the connection settings were introduced, and the
concensus was to leave them alone [1] to allow for example a new pg_dump to
work against an old server. Re-reading the thread I think the argument still
holds, but I was about to respond "yes, let's do this" before refreshing my
memory. Perhaps we should add a comment explaining this along the lines of the
attached?
cheers ./daniel
[0] https://www.postgresql.org/message-id/157800160408.1198.1714906047977693148.pgcf%40coridan.postgresql.org
[1] https://www.postgresql.org/message-id/31993.1578321474%40sss.pgh.pa.us
| Attachment | Content-Type | Size |
|---|---|---|
| libpq_minmaxproto_doc.diff | application/octet-stream | 1.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2020-06-24 08:46:17 | Re: should libpq also require TLSv1.2 by default? |
| Previous Message | tushar | 2020-06-24 08:24:29 | Re: [Patch] ALTER SYSTEM READ ONLY |