| From: | Alex Shulgin <ash(at)commandprompt(dot)com> |
|---|---|
| To: | Dag-Erling Smørgrav <des(at)des(dot)no> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-11-20 11:57:12 |
| Message-ID: | 878uj6ult3.fsf@commandprompt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Dag-Erling Smørgrav <des(at)des(dot)no> writes:
> Alex Shulgin <ash(at)commandprompt(dot)com> writes:
>> * The patch works as advertised, though the only way to verify that
>> connections made with the protocol disabled by the GUC are indeed
>> rejected is to edit fe-secure-openssl.c to only allow specific TLS
>> versions. Adding configuration on the libpq side as suggested in the
>> original discussion might help here.
>
> I can easily do that, but I won't have time until next week or so.
I can do that too, just need a hint where to look at in libpq/psql to
add the option.
For SSL we have sslmode and sslcompression, etc. in conninfo, so adding
sslprotocols seems to be an option. As an aside note: should we also
expose a parameter to choose SSL ciphers (would be a separate patch)?
--
Alex
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2014-11-20 11:58:29 | Re: proposal: plpgsql - Assert statement |
| Previous Message | Simon Riggs | 2014-11-20 09:37:33 | Re: Add shutdown_at_recovery_target option to recovery.conf |