| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Update minimum SSL version |
| Date: | 2019-12-02 15:31:40 |
| Message-ID: | CA+TgmobM7j=+NN+juu9=urfw0-Bt22QvDdxaPW8O-KK5yegADQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Nov 29, 2019 at 9:44 PM Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> Actually, no, what I am writing here is incorrect. We should make
> sure of that the default configuration is correct at initdb time, and
> the patch does not do that.
I think that would be overkill. There shouldn't be many people who are
running with a version of PostgreSQL that is 8 years newer than the
version of OpenSSL they are using, and who are also relying on SSL,
and even if there are such people, it's a pretty minor configuration
change to make it work. However, it would be worth putting in some
effort to make sure that we give a good error message if this happens.
I'm not sure how practical that is. But there's a big difference
between giving an incomprehensible OpenSSL message that says "things
aren't working and good luck figuring out why" and giving a message
that says something like:
ERROR: ssl_min_protocol_version specifies TLSv1.2, but your OpenSSL
library does not support protocol versions beyond TLSv1.1
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2019-12-02 15:55:45 | Re: Proposal: Add more compile-time asserts to expose inconsistencies. |
| Previous Message | Daniel Gustafsson | 2019-12-02 15:28:39 | Re: Update minimum SSL version |