Re: should libpq also require TLSv1.2 by default?

On 2020-06-24 10:33, Daniel Gustafsson wrote:
>> In PG13, we raised the server-side default of ssl_min_protocol_version to TLSv1.2. We also added a connection setting named ssl_min_protocol_version to libpq. But AFAICT, the default value of the libpq setting is empty, so any protocol version will be accepted. Is this what we wanted? Should we raise the default in libpq as well?
>
> This was discussed [0] when the connection settings were introduced, and the
> concensus was to leave them alone [1] to allow for example a new pg_dump to
> work against an old server. Re-reading the thread I think the argument still
> holds, but I was about to respond "yes, let's do this" before refreshing my
> memory. Perhaps we should add a comment explaining this along the lines of the
> attached?
>
> [0] https://www.postgresql.org/message-id/157800160408.1198.1714906047977693148.pgcf%40coridan.postgresql.org
> [1] https://www.postgresql.org/message-id/31993.1578321474%40sss.pgh.pa.us

ISTM that these discussions went through the same questions and
arguments that were made regarding the server-side change but arrived at
a different conclusion. So I suggest to reconsider this so that we
don't ship with contradictory results.

That doesn't necessarily mean that we have to make a change, but we
should make sure our rationale is sound.

Note that all OpenSSL versions that do not support TLSv1.2 also do not
support TLSv1.1. So by saying, in effect, that TLSv1.2 is too new to
require, we are saying that we need to keep supporting TLSv1.0 -- which
is heavily deprecated. Also note that the first OpenSSL version with
support for TLSv1.2 shipped on March 14, 2012.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services