| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>, Dag-Erling Smørgrav <des(at)des(dot)no> |
| Subject: | Re: [PATCH] add ssl_protocols configuration option |
| Date: | 2014-10-19 20:04:35 |
| Message-ID: | CABUevEyAehByVLEEUhHjdrx5uoyU1h2zkOkLmp1ihRxxYfHx6g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Oct 19, 2014 9:18 PM, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Sun, Oct 19, 2014 at 6:17 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> And in the end, if we set values like this from PG --- whether
> >> hard-wired or via a GUC --- the SSL library people will have exactly
> >> the same perspective with regards to *our* values. And not without
> >> reason; we were forcing very obsolete settings up till recently,
> >> because nobody had looked at the issue for a decade. I see no reason
> >> to expect that that history won't repeat itself.
>
> > The best part would be if we could just leave it up to the SSL
> > library, but at least the openssl one doesn't have an API that lets us
> > do that, right? We *have* to pick something...
>
> As far as protocol version goes, I think our existing coding basically
> says "prefer newest available version, but at least TLS 1.0". I think
> that's probably a reasonable approach.
>
Yes, it does that. Though it only does it on 9.4,but with the facts we know
now, what 9.4+ does is perfectly safe.
/Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marko Tiikkaja | 2014-10-19 21:24:18 | Wrong filename in comment |
| Previous Message | Tom Lane | 2014-10-19 19:18:41 | Re: [PATCH] add ssl_protocols configuration option |