From b1abfec825472434ea445b9700eaa80cde9da86a Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Wed, 4 Dec 2019 21:40:17 +0100 Subject: [PATCH] Update minimum SSL version Change default of ssl_min_protocol_version to TLSv1.2 (from TLSv1, which means 1.0). Older versions are still supported, just not by default. TLS 1.0 is widely deprecated, and TLS 1.1 only slightly less so. All OpenSSL versions that support TLS 1.1 also support TLS 1.2, so there would be very little reason to, say, set the default to TLS 1.1 instead on grounds of better compatibility. The test suite overrides this new setting, so it can still run with older OpenSSL versions. Discussion: https://www.postgresql.org/message-id/flat/b327f8df-da98-054d-0cc5-b76a857cfed9%402ndquadrant.com --- doc/src/sgml/config.sgml | 6 ++---- src/backend/utils/misc/guc.c | 2 +- src/backend/utils/misc/postgresql.conf.sample | 2 +- src/test/ssl/t/SSLServer.pm | 4 ++++ 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 4ec13f3311..53ac14490a 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1365,10 +1365,8 @@ include_dir 'conf.d' - The default is TLSv1, mainly to support older - versions of the OpenSSL library. You might - want to set this to a higher value if all software components can - support the newer protocol versions. + The default is TLSv1.2, which satisfies industry + best practices as of this writing. diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 5fccc9683e..ba74bf9f7d 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4573,7 +4573,7 @@ static struct config_enum ConfigureNamesEnum[] = GUC_SUPERUSER_ONLY }, &ssl_min_protocol_version, - PG_TLS1_VERSION, + PG_TLS1_2_VERSION, ssl_protocol_versions_info + 1, /* don't allow PG_TLS_ANY */ NULL, NULL, NULL }, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 46a06ffacd..9541879c1f 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -105,7 +105,7 @@ #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' -#ssl_min_protocol_version = 'TLSv1' +#ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm index 005955a2ff..26b5964f4f 100644 --- a/src/test/ssl/t/SSLServer.pm +++ b/src/test/ssl/t/SSLServer.pm @@ -132,6 +132,10 @@ sub configure_test_server_for_ssl print $conf "listen_addresses='$serverhost'\n"; print $conf "log_statement=all\n"; + # Accept even old TLS versions so that builds with older OpenSSL + # can run the test suite. + print $conf "ssl_min_protocol_version='TLSv1'\n"; + # enable SSL and set up server key print $conf "include 'sslconfig.conf'\n";