From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
---|---|
To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | settings to control SSL/TLS protocol version |
Date: | 2018-10-01 20:21:31 |
Message-ID: | 1822da87-b862-041a-9fc2-d0310c3da173@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
There have been some requests to be able to select the TLS versions
PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3
are disabled, but there is also some interest now in disabling TLSv1.0
and TLSv1.1. Also, I've had some issues in some combinations with the
new TLSv1.3, so there is perhaps also some use for disabling at the top end.
Attached is a patch that implements this. For example:
ssl_min_protocol_version = 'TLSv1'
ssl_max_protocol_version = 'any'
For reference, here is similar functionality implemented elsewhere:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
Unlike those two, which offer a list of protocols to use, I have gone
with min and max settings. I think that is easier to use, and it also
maps better to the newer OpenSSL API (SSL_CTX_set_min_proto_version()
etc.). The older SSL_CTX_set_options()-based approach is deprecated and
has some very weird behaviors that would make it complicated to use for
anything more than a min/max.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Attachment | Content-Type | Size |
---|---|---|
0001-Add-settings-to-control-SSL-TLS-protocol-version.patch | text/plain | 10.0 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2018-10-01 20:21:52 | Re: SerializeParamList vs machines with strict alignment |
Previous Message | Stephen Frost | 2018-10-01 19:54:59 | Re: has_column_privilege behavior (was Re: Assert failed in snprintf.c) |