Re: [PATCH] add ssl_protocols configuration option

Dag-Erling Smørgrav wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > Dag-Erling Smørgrav <des(at)des(dot)no> writes:
> > > Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > > > Since you can already specify the cipher list, couldn't you just
> > > > add -SSLv3 to the cipher list and be done?
> > > I didn't want to change the existing behavior; all I wanted was to
> > > give users a way to do so if they wish.
> > I think we should just disable SSL3.0 altogether. The only way this
> > could cause problems is if people are using PostgreSQL with an OpenSSL
> > library from last century. As for client libraries, even Windows XP
> > supports TLS1.0.
>
> As far as I'm concerned (i.e. as far as FreeBSD and the University of
> Oslo are concerned), I couldn't care less about anything older than
> 0.9.8, which is what FreeBSD 8 and RHEL5 have, but I don't feel
> comfortable making that decision for other people. On the gripping
> hand, no currently supported version of libpq uses anything older than
> TLS; 9.0 through 9.3 use TLS 1.0 only while 9.4 uses TLS 1.0 or higher.

OpenSSL just announced a week or two ago that they're abandoning support
for 0.9.8 by the end of next year[1], which means its replacements have
been around for a really long time. I think it's fine to drop 0.9.7
support --- we already dropped support for 0.9.6 with the renegotiation
rework[2] in the 9.4 timeframe.

OpenSSL 0.9.7 has already not gotten fixes for all the latest flurry of
security issues, so anyone *is* using SSL but not at least the 0.9.8
branch, they are in trouble.

[1] http://openssl.6102.n7.nabble.com/OpenSSL-0-9-8-End-Of-Life-Announcement-td54155.html
[2] http://www.postgresql.org/message-id/20130712203252.GH29206@eldon.alvh.no-ip.org

--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services