| From: | Steve Crawford <scrawford(at)pinpointresearch(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Ehtesham Pradhan <ehtesham(dot)pradhan(at)lookout(dot)com>, PostgreSQL <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: TLS 1.0 |
| Date: | 2021-08-06 16:47:56 |
| Message-ID: | CAEfWYyxweWLcCXpdZRbEHA303_UGtnS62-Bb1dzyqfYLLxJzSg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
From a security audit point of view, also consider the fact that 9.6 is
end-of-life in 3 months.
-Steve
On Fri, Aug 6, 2021 at 9:46 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Ehtesham Pradhan <ehtesham(dot)pradhan(at)lookout(dot)com> writes:
> > Our client is using Version : PostgreSQL 9.6.17 , they have done
> vulnerability
> > assessment and found that :
>
> > - TLS version 1.0 Protocol detection
> > - The remote service encrypt traffic with older version of TLS
>
> This is mostly a matter of whether the OpenSSL libraries being used on
> both ends are up-to-date. If you were using PG 12 or later you could
> set the server parameter ssl_min_protocol_version to enforce whatever
> policy you want about minimum TLS version. But in 9.6.x it's going
> to be strictly a matter of what OpenSSL wants to do. Check the
> system-wide OpenSSL configuration on each end, and update OpenSSL
> if necessary. At least with reasonably modern OpenSSL, you should
> be able to enforce a minimum TLS version in OpenSSL's config
> (see MinProtocol).
>
> regards, tom lane
>
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthias Apitz | 2021-08-06 18:09:03 | Re: PostgreSQL reference coffee mug |
| Previous Message | Tom Lane | 2021-08-06 16:46:02 | Re: TLS 1.0 |