Re: should libpq also require TLSv1.2 by default?

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: should libpq also require TLSv1.2 by default?
Date: 2020-06-26 12:33:04
Message-ID: F50C22DD-A2C0-461A-93CD-3B87847F8F82@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 26 Jun 2020, at 00:44, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> My feeling now is that we'd be better off defaulting
> ssl_min_protocol_version to something nonempty, just to make this
> behavior platform-independent. We certainly can't leave the docs
> as they are.

Yeah, given the concensus in this thread and your findings I think we should
default to TLSv1.2 as originally proposed.

I still think there will be instances of existing connections to old servers
that will all of a sudden break, but it's probably true that it's not a common
setup. Optimizing for the majority and helping the minority with documentation
is IMO the winning move.

> Also, I confirm that the failure looks like
>
> $ psql -h ... -d "dbname=postgres sslmode=require"
> psql: error: could not connect to server: SSL error: unsupported protocol
>
> While that's not *that* awful, if you realize that "protocol" means
> TLS version, many people probably won't without a hint. It does not
> help any that the message doesn't mention either the offered TLS version
> or the version limits being enforced. I'm not sure we can do anything
> about the former, but reducing the number of variables affecting the
> latter seems like a smart idea.

+1

> BTW, the server-side report of the problem looks like
>
> LOG: could not accept SSL connection: wrong version number

I can totally see some thinking that it's the psql version at client side which
is referred to and not the TLS protocol version. Perhaps we should add a hint
there as well?

cheers ./daniel

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Daniel Gustafsson 2020-06-26 12:34:11 Re: Online checksums patch - once again
Previous Message Daniel Gustafsson 2020-06-26 12:26:50 Re: Ought to use heap_multi_insert() for pg_attribute/depend insertions?