| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, PostgreSQL JDBC List <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] Channel binding support for SCRAM-SHA-256 |
| Date: | 2017-06-06 16:21:02 |
| Message-ID: | 20003.1496766062@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-jdbc |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> I don't think it's true that we force the latest TLS version to be
> used. The comment says:
> /*
> * We use SSLv23_method() because it can negotiate use of the highest
> * mutually supported protocol version, while alternatives like
> * TLSv1_2_method() permit only one specific version. Note
> that we don't
> * actually allow SSL v2 or v3, only TLS protocols (see below).
> */
> IIUC, this is specifically so that we don't force the use of TLS 1.2
> or TLS 1.1 or TLS 1.0.
Right. IIUC, there's no way (at least in older OpenSSL versions) to say
directly "we only want TLS >= 1.0", so we have to do it like this.
I found a comment on the web saying "SSLv23_method would be better named
AutoNegotiate_method", which seems accurate.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2017-06-06 16:28:43 | Re: sketchy partcollation handling |
| Previous Message | Robert Haas | 2017-06-06 16:19:08 | Re: BEFORE trigger can cause undetected partition constraint violation |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Rosenstrauch | 2017-06-06 20:46:56 | Advisory lock deadlock issue using PG JDBC driver |
| Previous Message | Robert Haas | 2017-06-06 15:35:49 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |