| From: | Jan Bilek <jan(dot)bilek(at)eftlab(dot)co(dot)uk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Postgres and TLSv1.2 |
| Date: | 2015-05-21 16:30:48 |
| Message-ID: | 555E0838.30200@eftlab.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 22/05/15 02:06, Tom Lane wrote:
> Jan Bilek <jan(dot)bilek(at)eftlab(dot)co(dot)uk> writes:
>> We are trying to setup Postgres with TLSv1.2 (undergoing PA:DSS audit),
>> but getting a bit stuck there with Postgres reporting “could not accept
>> SSL connection: no shared cipherâ€. This is obviously an internal OpenSSL
>> message, but worrying part is that we've had this setup running with the
>> other encryptions and the same certificates without any problems.
>> We've been trying to follow documentation from here:
>> http://www.postgresql.org/docs/9.3/static/ssl-tcp.html.
> libpq versions before 9.4 will only accept TLSv1 exactly. In 9.4 it
> should negotiate the highest TLS version supported by both server and
> client.
>
> I don't recall why we didn't back-patch that change, probably excessive
> concern for backwards compatibility ... but anyway, AFAICS from the git
> logs, it's not in 9.3.x. I think you could get TLS 1.2 from a 9.3 server
> and 9.4 libpq, if that helps.
>
> regards, tom lane
That explains it whole. Thank you for your fast and clear answer.
Best,
Jan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2015-05-21 16:30:49 | Re: Postgres and TLSv1.2 |
| Previous Message | Andrew Gierth | 2015-05-21 16:25:56 | Re: GROUPING |