Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.

From: Craig Ringer <craig(at)2ndquadrant(dot)com>
To: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Noah Misch <noah(at)leadboat(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org, Wim Lewis <wiml(at)omnigroup(dot)com>, Marko Kreen <markokr(at)gmail(dot)com>, Jeffrey Walton <noloader(at)gmail(dot)com>
Subject: Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.
Date: 2014-01-26 10:10:38
Message-ID: 52E4DF1E.2030006@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
> Stephen Frost escribió:
>> * Noah Misch (noah(at)leadboat(dot)com) wrote:
>>> +1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
>>> the iron age.
>>
>> Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
>> isn't likely to be upgrading to 9.4 of libpq or PG.
>
> What about people doing SSL connections through JDBC? As far as I
> understand, these don't use openssl.

That's correct, PgJDBC uses Java's built-in SSL support, which is
provided by the underlying JSSE ("Java Secure Socket Extension") service
in the JVM.

From what I can find, it looks like Java 1.4.2 and newer, including Java
5, appear to support TLS 1.0. I haven't found anything definitive for
1.4.2 yet, but 1.5 certainly supports it.

That's all we need to care about IMO; 1.4.x users are running
unsupported and old PgJDBC versions (we dropped support for 1.4) and
they're generally happy living in the stone age.

So I don't see Java as a barrier here.

----

Finding a good reference on which Java runtimes support which features
is surprisingly hard.

Java 6 supports TLS. It took a bit to confirm that 1.5 does too. 1.4.2
may, but we don't need to care.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

claims:

"The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0
and TLS 1.0"

... but in the table "Default Enabled Cipher Suites" in:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Java 1.4.2 and newer are shown to support by default:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA

... and a bunch of SSL_ stuff.

so it looks like TLS support has probably been backpacked to 1.4.2. Java
1.4 is PostgreSQL 7.2 vintage, well into "we don't care, go away" land.

BTW, the JSSE docs also claim that "TLS 1.0 is a modest upgrade to the
most recent version of SSL, version 3.0. The differences between SSL 3.0
and TLS 1.0 are minor".

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Browse pgsql-committers by date

  From Date Subject
Next Message Stephen Frost 2014-01-26 14:40:26 pgsql: Use E, not e, for escaping in example docs
Previous Message Alvaro Herrera 2014-01-26 02:13:11 Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.

Browse pgsql-hackers by date

  From Date Subject
Next Message Magnus Hagander 2014-01-26 10:44:12 Re: Visual Studio 2013 build
Previous Message Simon Riggs 2014-01-26 09:19:55 Re: plpgsql.warn_shadow