mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-10-03 01:26:51 +02:00
Change libpq's default ssl_min_protocol_version to TLSv1.2.
When we initially created this parameter, in commit ff8ca5fad
, we left
the default as "allow any protocol version" on grounds of backwards
compatibility. However, that's inconsistent with the backend's default
since b1abfec82; protocol versions prior to 1.2 are not considered very
secure; and OpenSSL has had TLSv1.2 support since 2012, so the number
of PG servers that need a lesser minimum is probably quite small.
On top of those things, it emerges that some popular distros (including
Debian and RHEL) set MinProtocol=TLSv1.2 in openssl.cnf. Thus, far
from having "allow any protocol version" behavior in practice, what
we actually have as things stand is a platform-dependent lower limit.
So, change our minds and set the min version to TLSv1.2. Anybody
wanting to connect with a new libpq to a pre-2012 server can either
set ssl_min_protocol_version=TLSv1 or accept the fallback to non-SSL.
Back-patch to v13 where the aforementioned patches appeared.
Patch by me, reviewed by Daniel Gustafsson
Discussion: https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com
This commit is contained in:
parent
3b4b541777
commit
16412c7840
@ -1745,9 +1745,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
|
|||||||
<literal>TLSv1.1</literal>, <literal>TLSv1.2</literal> and
|
<literal>TLSv1.1</literal>, <literal>TLSv1.2</literal> and
|
||||||
<literal>TLSv1.3</literal>. The supported protocols depend on the
|
<literal>TLSv1.3</literal>. The supported protocols depend on the
|
||||||
version of <productname>OpenSSL</productname> used, older versions
|
version of <productname>OpenSSL</productname> used, older versions
|
||||||
not supporting the most modern protocol versions. If not set, this
|
not supporting the most modern protocol versions. If not specified,
|
||||||
parameter is ignored and the connection will use the minimum bound
|
the default is <literal>TLSv1.2</literal>, which satisfies industry
|
||||||
defined by the backend.
|
best practices as of this writing.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -320,7 +320,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
|
|||||||
"Require-Peer", "", 10,
|
"Require-Peer", "", 10,
|
||||||
offsetof(struct pg_conn, requirepeer)},
|
offsetof(struct pg_conn, requirepeer)},
|
||||||
|
|
||||||
{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
|
{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", "TLSv1.2", NULL,
|
||||||
"SSL-Minimum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */
|
"SSL-Minimum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */
|
||||||
offsetof(struct pg_conn, ssl_min_protocol_version)},
|
offsetof(struct pg_conn, ssl_min_protocol_version)},
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user