| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: should libpq also require TLSv1.2 by default? |
| Date: | 2020-06-24 09:01:48 |
| Message-ID: | DF11E406-A9AB-43A6-9B0E-5291644CC16F@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 24 Jun 2020, at 10:46, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> It might also be worth noting that it's not really "any protocol version", it means it will be "whatever the openssl configuration says", I think? For example, debian buster sets:
>
> [system_default_sect]
> MinProtocol = TLSv1.2
>
> Which I believe means that if your libpq app is running on debian buster, it will be min v1.2 already
Correct, that being said I'm not sure how common it is for distributions to set
a default protocol version. The macOS versions I have handy doesn't enforce a
default version, nor does Ubuntu 20.04, FreeBSD 12 or OpenBSD 6.5 AFAICT.
> (and it would likely be more useful to use ssl_min_protocol_version to *lower* that when connecting to older servers).
That is indeed one use-case for the connection parameter.
cheers ./daniel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | ROS Didier | 2020-06-24 09:05:30 | PostgreSQL and big data - FDW |
| Previous Message | Michael Paquier | 2020-06-24 09:00:23 | Re: Removal of currtid()/currtid2() and some table AM cleanup |