From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Jan Bilek <jan(dot)bilek(at)eftlab(dot)co(dot)uk> |
Cc: | pgsql-hackers(at)postgresql(dot)org, Chris Dawes <chris(dot)dawes(at)eftlab(dot)co(dot)uk> |
Subject: | Re: Postgres and TLSv1.2 |
Date: | 2015-05-21 16:06:36 |
Message-ID: | 28287.1432224396@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Jan Bilek <jan(dot)bilek(at)eftlab(dot)co(dot)uk> writes:
> We are trying to setup Postgres with TLSv1.2 (undergoing PA:DSS audit),
> but getting a bit stuck there with Postgres reporting could not accept
> SSL connection: no shared cipher. This is obviously an internal OpenSSL
> message, but worrying part is that we've had this setup running with the
> other encryptions and the same certificates without any problems.
> We've been trying to follow documentation from here:
> http://www.postgresql.org/docs/9.3/static/ssl-tcp.html.
libpq versions before 9.4 will only accept TLSv1 exactly. In 9.4 it
should negotiate the highest TLS version supported by both server and
client.
I don't recall why we didn't back-patch that change, probably excessive
concern for backwards compatibility ... but anyway, AFAICS from the git
logs, it's not in 9.3.x. I think you could get TLS 1.2 from a 9.3 server
and 9.4 libpq, if that helps.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | David Fetter | 2015-05-21 16:15:11 | Re: GROUPING |
Previous Message | Simon Riggs | 2015-05-21 16:02:02 | Re: Redesigning checkpoint_segments |