From: | Marko Kreen <markokr(at)gmail(dot)com> |
---|---|
To: | Jeffrey Walton <noloader(at)gmail(dot)com> |
Cc: | Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: fe-secure.c and SSL/TLS |
Date: | 2013-11-30 00:14:09 |
Message-ID: | 20131130001409.GA20748@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Nov 29, 2013 at 06:01:01PM -0500, Jeffrey Walton wrote:
> I know of no other ways to check the result of OpenSSL's chain
> validation. The open question (for me) is where are
> SSL_get_verify_result/X509_V_OK checked? Neither show up in the
> Postgres sources.
According to SSL_set_verify manpage, you are perhaps talking about
SSL_VERIFY_NONE case? Which has suggestion that you should call
SSL_get_verify_result if you want to know if cert was valid.
But if SSL_VERIFY_PEER is used, this is not needed.
> > 3) libpq starts using TLSv1_2_method() by default.
> > 4) libpq will give switch to users to request TLSv1.2.
> This might have negative effects on non-TLSv1.2 clients. For example,
> an Android 2.3 device can only do TLSv1.0 (IIRC). I think there's a
> similar limitation on a lot of Windows XP clients (depending on the IE
> version and SChannel version). And OpenSSL-based clients prior to
> 1.0.0h (released 14 Mar 2012) will have trouble (if I am reading the
> change log correctly).
Note we are talking about client-side settings here. So the negative
effect would be that clients with TLSv1.2+ libpq cannot connect to
old servers.
> I believe the "standard" way of achieving TLS1.0 and above is to use
> the SSLv23_client_method() and then remove the SSL protocols with
> SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3. I have to use handwaiving around
> "standard" because I don't believe its documented anywhere (one of the
> devs told me its the standard way to do it.).
Indeed - Python ssl module seems to achieve TLSv1.1 and it uses
SSLv23_method(). But still no TLSv1.2.
I'll play with it a bit to see whether it can have any negative effects.
--
marko
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2013-11-30 00:28:05 | Re: PostgreSQL Service on Windows does not start. ~ "is not a valid Win32 application" |
Previous Message | Tom Lane | 2013-11-29 23:43:46 | Re: PostgreSQL Service on Windows does not start. ~ "is not a valid Win32 application" |