Re: [PATCH] add ssl_protocols configuration option

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Dag-Erling Smørgrav <des(at)des(dot)no>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH] add ssl_protocols configuration option
Date: 2014-10-19 19:18:41
Message-ID: 26789.1413746321@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Sun, Oct 19, 2014 at 6:17 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> And in the end, if we set values like this from PG --- whether
>> hard-wired or via a GUC --- the SSL library people will have exactly
>> the same perspective with regards to *our* values. And not without
>> reason; we were forcing very obsolete settings up till recently,
>> because nobody had looked at the issue for a decade. I see no reason
>> to expect that that history won't repeat itself.

> The best part would be if we could just leave it up to the SSL
> library, but at least the openssl one doesn't have an API that lets us
> do that, right? We *have* to pick something...

As far as protocol version goes, I think our existing coding basically
says "prefer newest available version, but at least TLS 1.0". I think
that's probably a reasonable approach.

If the patch exposed a GUC that set a "minimum" version, rather than
calling out specific acceptable protocols, it might be less risky.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Magnus Hagander 2014-10-19 20:04:35 Re: [PATCH] add ssl_protocols configuration option
Previous Message Tom Lane 2014-10-19 19:09:57 Re: get_actual_variable_range vs idx_scan/idx_tup_fetch