| From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Noah Misch <noah(at)leadboat(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org, Wim Lewis <wiml(at)omnigroup(dot)com>, Marko Kreen <markokr(at)gmail(dot)com>, Jeffrey Walton <noloader(at)gmail(dot)com> |
| Subject: | Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1. |
| Date: | 2014-01-26 10:10:38 |
| Message-ID: | 52E4DF1E.2030006@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
> Stephen Frost escribió:
>> * Noah Misch (noah(at)leadboat(dot)com) wrote:
>>> +1. If you can upgrade to 9.4, you can also bring your TLS protocol out of
>>> the iron age.
>>
>> Agreed- this was going to be my 2c. Anyone w/ an SSL library that old
>> isn't likely to be upgrading to 9.4 of libpq or PG.
>
> What about people doing SSL connections through JDBC? As far as I
> understand, these don't use openssl.
That's correct, PgJDBC uses Java's built-in SSL support, which is
provided by the underlying JSSE ("Java Secure Socket Extension") service
in the JVM.
From what I can find, it looks like Java 1.4.2 and newer, including Java
5, appear to support TLS 1.0. I haven't found anything definitive for
1.4.2 yet, but 1.5 certainly supports it.
That's all we need to care about IMO; 1.4.x users are running
unsupported and old PgJDBC versions (we dropped support for 1.4) and
they're generally happy living in the stone age.
So I don't see Java as a barrier here.
----
Finding a good reference on which Java runtimes support which features
is surprisingly hard.
Java 6 supports TLS. It took a bit to confirm that 1.5 does too. 1.4.2
may, but we don't need to care.
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
claims:
"The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0
and TLS 1.0"
... but in the table "Default Enabled Cipher Suites" in:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
Java 1.4.2 and newer are shown to support by default:
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
... and a bunch of SSL_ stuff.
so it looks like TLS support has probably been backpacked to 1.4.2. Java
1.4 is PostgreSQL 7.2 vintage, well into "we don't care, go away" land.
BTW, the JSSE docs also claim that "TLS 1.0 is a modest upgrade to the
most recent version of SSL, version 3.0. The differences between SSL 3.0
and TLS 1.0 are minor".
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-01-26 14:40:26 | pgsql: Use E, not e, for escaping in example docs |
| Previous Message | Alvaro Herrera | 2014-01-26 02:13:11 | Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2014-01-26 10:44:12 | Re: Visual Studio 2013 build |
| Previous Message | Simon Riggs | 2014-01-26 09:19:55 | Re: plpgsql.warn_shadow |