| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Update minimum SSL version |
| Date: | 2019-11-29 07:36:00 |
| Message-ID: | b327f8df-da98-054d-0cc5-b76a857cfed9@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I propose to change the default of ssl_min_protocol_version to TLSv1.2
(from TLSv1, which means 1.0). Older versions would still be supported,
just not by default.
The reason is that TLS 1.0 and 1.1 are either already discouraged or
deprecated or will be by the time PostgreSQL 13 comes out. So this move
would be in the direction of "secure by default". Specifically, PCI DSS
disallows the use of TLS 1.0 and discourages 1.1 [0], and browser
vendors are set to disable 1.0 and 1.1 in their products sometime soon [1].
Using TLS 1.2 requires OpenSSL 1.0.1, released in 2012. I find this to
be satisfied in CentOS 6 and Debian jessie (oldoldstable), for example.
More details also in my recent blog post [2].
[0]:
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
[1]:
https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/
[2]:
https://www.2ndquadrant.com/en/blog/setting-ssl-tls-protocol-versions-with-postgresql-12/
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Update-minimum-SSL-version.patch | text/plain | 2.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabien COELHO | 2019-11-29 07:44:25 | Re: fe-utils - share query cancellation code |
| Previous Message | Takuma Hoshiai | 2019-11-29 07:10:40 | Re: Implementing Incremental View Maintenance |