| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: settings to control SSL/TLS protocol version |
| Date: | 2018-10-02 12:29:14 |
| Message-ID: | 551C4F36-5F78-4FEB-8038-7B3D0C1DE3BC@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 2 Oct 2018, at 14:23, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
>
> On 01/10/2018 23:30, Daniel Gustafsson wrote:
>>> ssl_min_protocol_version = 'TLSv1'
>>> ssl_max_protocol_version = ‘any'
>>
>> I don’t think ‘any’ is a clear name for a setting which means “the highest
>> supported version”. How about ‘max_supported’ or something similar?
>
> I can see the argument for an alternative, but your suggestion is a
> mouthful.
Agreed, but I can’t think of a better wording. Perhaps just ‘tls_max’?
>> +1 for using a min/max approach for setting the version, and it should be
>> trivial to add support for in the pending GnuTLS and Secure Transport patches.
>
> AFAICT, in GnuTLS this is done via the "priorities" setting that also
> sets the ciphers. There is no separate API for just the TLS version.
> It would be interesting to see how Secure Transport can do it.
Secure Transport has a fairly neat API for this, SSLSetProtocolVersionMax() and
SSLSetProtocolVersionMin() (available since Lion).
cheers ./daniel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2018-10-02 12:31:35 | Re: file cloning in pg_upgrade and CREATE DATABASE |
| Previous Message | Peter Eisentraut | 2018-10-02 12:23:06 | Re: settings to control SSL/TLS protocol version |