| From: | Dag-Erling Smørgrav <des(at)des(dot)no> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-10-22 13:21:52 |
| Message-ID: | 86zjcock9b.fsf@nine.des.no |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> As far as protocol version goes, I think our existing coding basically
> says "prefer newest available version, but at least TLS 1.0". I think
> that's probably a reasonable approach.
The client side forces TLS 1.0:
SSL_context = SSL_CTX_new(TLSv1_method());
In typical OpenSSL fashion, this does *not* mean 1.0 or higher. It
means 1.0 exactly.
> If the patch exposed a GUC that set a "minimum" version, rather than
> calling out specific acceptable protocols, it might be less risky.
Not necessarily. Someone might find a weakness in TLS 1.1 which is not
present in 1.0 because it involves a specific algorithm or mode that 1.0
does not support.
DES
--
Dag-Erling Smørgrav - des(at)des(dot)no
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dag-Erling Smørgrav | 2014-10-22 13:22:17 | Re: [PATCH] add ssl_protocols configuration option |
| Previous Message | Michael Paquier | 2014-10-22 13:20:51 | Re: BUG: *FF WALs under 9.2 (WAS: .ready files appearing on slaves) |