| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: should libpq also require TLSv1.2 by default? |
| Date: | 2020-06-27 16:55:21 |
| Message-ID: | 142460.1593276921@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I wrote:
> Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
>> SSL_R_UNKNOWN_PROTOCOL seem to covers cases when someone manages to perform
>> something which OpenSSL believes is a broken SSLv2 connection, but their own
>> client-level code use it to refer to SSL as well as TLS. Maybe it's worth
>> adding as a belts and suspenders type thing?
> No objection on my part.
>> If anything it might useful to document in the comment that we're only
>> concerned with TLS versions, SSL2/3 are disabled in the library initialization.
> Good point.
Pushed with those corrections. I also rewrote the comment about which
error codes we'd seen in practice, after realizing that one of my tests
had been affected by the presence of "MinProtocol = TLSv1.2" in
RHEL8's openssl.cnf (causing a max setting less than that to be a local
configuration error, not something the server had rejected).
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Erik Rijkers | 2020-06-27 17:18:50 | compile error master SSL_R_VERSION_TOO_HIGH: |
| Previous Message | Bruce Momjian | 2020-06-27 15:49:40 | Re: Fwd: PostgreSQL: WolfSSL support |