Re: Update minimum SSL version

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Mon, Dec 2, 2019 at 11:39 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Maybe it'd be worth extending that to show the max supported
>> version, with some rats-nest of #ifdefs, but I'm not sure if
>> it's worth the trouble.

> Especially if we mess up the #ifdefs. :-)

Yah. Although, looking at the code in be-secure-openssl.c,
it doesn't look that hard to do in an extensible way.
Something like (untested)

static int
ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
{
switch (v)
{
case PG_TLS_ANY:
return 0;
case PG_TLS1_VERSION:
+#define PG_MAX_TLS_VERSION "TLSv1"
return TLS1_VERSION;
case PG_TLS1_1_VERSION:
#ifdef TLS1_1_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.1"
return TLS1_1_VERSION;
#else
break;
#endif
case PG_TLS1_2_VERSION:
#ifdef TLS1_2_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.2"
return TLS1_2_VERSION;
#else
break;
#endif
case PG_TLS1_3_VERSION:
#ifdef TLS1_3_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.3"
return TLS1_3_VERSION;
#else
break;
#endif
}

ereport(loglevel,
(errmsg("%s setting %s not supported by this build",
guc_name,
- GetConfigOption(guc_name, false, false))));
+ GetConfigOption(guc_name, false, false)),
+ errdetail("Maximum supported TLS version is %s.",
+ PG_MAX_TLS_VERSION)));
return -1;
}

regards, tom lane