From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Corbit, Dann" <Dann(dot)Corbit(at)softwareag(dot)com> |
Cc: | PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Luton, Bill" <Bill(dot)Luton(at)softwareag(dot)com>, "Fifer, Brian" <Brian(dot)Fifer(at)softwareag(dot)com>, "Lao, Alexander" <Alexander(dot)Lao(at)softwareag(dot)com> |
Subject: | Re: Connection using ODBC and SSL |
Date: | 2020-11-21 18:07:07 |
Message-ID: | 1547086.1605982027@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
"Corbit, Dann" <Dann(dot)Corbit(at)softwareag(dot)com> writes:
> I figured out that my TLS version was too low in the libpq call and increased it to TLS v1.1
> Should I go to 1.2? I am wondering because I do not want to limit compatibility.
PG 13 and up consider that 1.2 is the *minimum* secure version.
Quoting from the commit log:
Change libpq's default ssl_min_protocol_version to TLSv1.2.
When we initially created this parameter, in commit ff8ca5fad, we left
the default as "allow any protocol version" on grounds of backwards
compatibility. However, that's inconsistent with the backend's default
since b1abfec82; protocol versions prior to 1.2 are not considered very
secure; and OpenSSL has had TLSv1.2 support since 2012, so the number
of PG servers that need a lesser minimum is probably quite small.
On top of those things, it emerges that some popular distros (including
Debian and RHEL) set MinProtocol=TLSv1.2 in openssl.cnf. Thus, far
from having "allow any protocol version" behavior in practice, what
we actually have as things stand is a platform-dependent lower limit.
So, change our minds and set the min version to TLSv1.2. Anybody
wanting to connect with a new libpq to a pre-2012 server can either
set ssl_min_protocol_version=TLSv1 or accept the fallback to non-SSL.
Back-patch to v13 where the aforementioned patches appeared.
> Once I got past that hurdle, I am getting the error "ssl error: the certificate verify failed"
> Since I built the certificates myself self-signed, I am assuming I did something that Postgres does not like.
The process in our docs worked for me last time I tried it:
https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-CERTIFICATE-CREATION
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2020-11-21 18:13:35 | Re: Removal of currtid()/currtid2() and some table AM cleanup |
Previous Message | Justin Pryzby | 2020-11-21 16:26:00 | Re: jit and explain nontext |