From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: settings to control SSL/TLS protocol version |
Date: | 2018-10-01 21:30:45 |
Message-ID: | B50F5D37-526A-40F3-8F77-98319F23B639@yesql.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On 1 Oct 2018, at 22:21, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
>
> There have been some requests to be able to select the TLS versions
> PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3
> are disabled, but there is also some interest now in disabling TLSv1.0
> and TLSv1.1. Also, I've had some issues in some combinations with the
> new TLSv1.3, so there is perhaps also some use for disabling at the top end.
>
> Attached is a patch that implements this. For example:
>
> ssl_min_protocol_version = 'TLSv1'
> ssl_max_protocol_version = ‘any'
I don’t think ‘any’ is a clear name for a setting which means “the highest
supported version”. How about ‘max_supported’ or something similar?
> For reference, here is similar functionality implemented elsewhere:
>
> https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
>
> Unlike those two, which offer a list of protocols to use, I have gone
> with min and max settings.
FWIW, libcurl also supports a min/max approach with CURLOPT_SSLVERSION:
https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
+1 for using a min/max approach for setting the version, and it should be
trivial to add support for in the pending GnuTLS and Secure Transport patches.
cheers ./daniel
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2018-10-01 21:55:36 | Re: Odd 9.4, 9.3 buildfarm failure on s390x |
Previous Message | Tom Lane | 2018-10-01 21:25:40 | Re: executor relation handling |