forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit6e682f6
committed
Change libpq's default ssl_min_protocol_version to TLSv1.2.
When we initially created this parameter, in commitff8ca5f, we leftthe default as "allow any protocol version" on grounds of backwardscompatibility. However, that's inconsistent with the backend's defaultsinceb1abfec; protocol versions prior to 1.2 are not considered verysecure; and OpenSSL has had TLSv1.2 support since 2012, so the numberof PG servers that need a lesser minimum is probably quite small.On top of those things, it emerges that some popular distros (includingDebian and RHEL) set MinProtocol=TLSv1.2 in openssl.cnf. Thus, farfrom having "allow any protocol version" behavior in practice, whatwe actually have as things stand is a platform-dependent lower limit.So, change our minds and set the min version to TLSv1.2. Anybodywanting to connect with a new libpq to a pre-2012 server can eitherset ssl_min_protocol_version=TLSv1 or accept the fallback to non-SSL.Back-patch to v13 where the aforementioned patches appeared.Patch by me, reviewed by Daniel GustafssonDiscussion:https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com1 parente7b476c commit6e682f6
2 files changed
+4
-4
lines changedLines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1745 | 1745 | | |
1746 | 1746 | | |
1747 | 1747 | | |
1748 | | - | |
1749 | | - | |
1750 | | - | |
| 1748 | + | |
| 1749 | + | |
| 1750 | + | |
1751 | 1751 | | |
1752 | 1752 | | |
1753 | 1753 | | |
| |||
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
320 | 320 | | |
321 | 321 | | |
322 | 322 | | |
323 | | - | |
| 323 | + | |
324 | 324 | | |
325 | 325 | | |
326 | 326 | | |
| |||
0 commit comments
Comments
(0)