| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: settings to control SSL/TLS protocol version |
| Date: | 2018-11-05 20:01:58 |
| Message-ID: | CA+TgmoZ600q+Q6UEndhPKGTEkf5d1n918OXHSt3qYTXiK-06iA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> There have been some requests to be able to select the TLS versions
> PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3
> are disabled, but there is also some interest now in disabling TLSv1.0
> and TLSv1.1. Also, I've had some issues in some combinations with the
> new TLSv1.3, so there is perhaps also some use for disabling at the top end.
>
> Attached is a patch that implements this. For example:
>
> ssl_min_protocol_version = 'TLSv1'
> ssl_max_protocol_version = 'any'
+1. Maybe it would make sense to spell 'any' as the empty string.
Intuitively, it makes more sense to me to think about there being no
maximum than to think about the maximum being anything.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2018-11-05 20:06:41 | Re: plruby: rb_iterate symbol clash with libruby.so |
| Previous Message | Andres Freund | 2018-11-05 19:54:07 | Re: Reduce maintenance burden of alternative output files with \if \quit |