From: | David Fetter <david(at)fetter(dot)org> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: settings to control SSL/TLS protocol version |
Date: | 2018-11-05 20:53:08 |
Message-ID: | 20181105205307.GA15572@fetter.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Nov 05, 2018 at 03:01:58PM -0500, Robert Haas wrote:
> On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut
> <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> > There have been some requests to be able to select the TLS versions
> > PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3
> > are disabled, but there is also some interest now in disabling TLSv1.0
> > and TLSv1.1. Also, I've had some issues in some combinations with the
> > new TLSv1.3, so there is perhaps also some use for disabling at the top end.
> >
> > Attached is a patch that implements this. For example:
> >
> > ssl_min_protocol_version = 'TLSv1'
> > ssl_max_protocol_version = 'any'
>
> +1. Maybe it would make sense to spell 'any' as the empty string.
> Intuitively, it makes more sense to me to think about there being no
> maximum than to think about the maximum being anything.
..and now, I'm finally beginning to see the reasoning that led Oracle
to conflate NULL and empty string.
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2018-11-05 21:00:39 | Why do pg_upgrade's test use the serial schedule? |
Previous Message | Andres Freund | 2018-11-05 20:10:44 | Re: replication_slots usability issue |