| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Daniel Gustafsson <daniel(at)yesql(dot)se>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Update minimum SSL version |
| Date: | 2019-12-02 10:56:25 |
| Message-ID: | 7e217273-b550-96e5-f36f-a818ac4b5d9b@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2019-11-30 04:06, Tom Lane wrote:
> I think the real question we have to answer is this: are we intent on
> making people upgrade ancient openssl installations? If so, shouldn't
> we be doing something even more aggressive than this? If not, wouldn't
> the patch need to try to autoconfigure the minimum TLS version? As
> proposed, the patch seems to be somewhere in a passive-aggressive middle
> ground of being annoying without really enforcing anything. So I don't
> quite see the point.
The trade-off is that this makes the defaults better for the vast
majority of users and gives users of really old systems a nudge that
they are no longer in compliance with industry best practices. You need
manual steps to set up SSL anyway, so this doesn't introduce an entirely
new kind of requirement for the latter group of users.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Petr Fedorov | 2019-12-02 11:08:43 | Re: Since '2001-09-09 01:46:40'::timestamp microseconds are lost when extracting epoch |
| Previous Message | Peter Eisentraut | 2019-12-02 10:39:48 | Re: Update minimum SSL version |