| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, Magnus Hagander <magnus(at)hagander(dot)net>, Daniel Gustafsson <daniel(at)yesql(dot)se>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Update minimum SSL version |
| Date: | 2019-12-04 07:52:14 |
| Message-ID: | ede00153-419e-c763-0401-838f0514b0c4@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2019-12-02 17:39, Tom Lane wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> ... However, it would be worth putting in some
>> effort to make sure that we give a good error message if this happens.
>
> That's an excellent point, but it looks like we're pretty good
> already. I tried the patch with openssl 0.9.8x, and got this
> failure at server start:
>
> FATAL: ssl_min_protocol_version setting TLSv1.2 not supported by this build
That's the easy part, since it's under our control. The other situation
is if you connect with an old library to a newer server that has the
raised ssl_min_protocol_version setting. Then you get something like this:
psql: SSL error: tlsv1 alert protocol version
and on the server:
LOG: could not accept SSL connection: unsupported protocol
Not great, but usable.
(What actually happens due to the default of PGSSLMODE=prefer is that
psql/libpq will have the SSL connection attempt rejected and will
connect using a non-SSL connection.)
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2019-12-04 08:03:08 | Re: Rework manipulation and structure of attribute mappings |
| Previous Message | Guram Duka | 2019-12-04 07:46:39 | [PATCH] Fix PostgreSQL 12.1 server build and install problems under MSYS2 |