Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit6e682f6

Browse files
committed
Change libpq's default ssl_min_protocol_version to TLSv1.2.
When we initially created this parameter, in commitff8ca5f, we leftthe default as "allow any protocol version" on grounds of backwardscompatibility. However, that's inconsistent with the backend's defaultsinceb1abfec; protocol versions prior to 1.2 are not considered verysecure; and OpenSSL has had TLSv1.2 support since 2012, so the numberof PG servers that need a lesser minimum is probably quite small.On top of those things, it emerges that some popular distros (includingDebian and RHEL) set MinProtocol=TLSv1.2 in openssl.cnf. Thus, farfrom having "allow any protocol version" behavior in practice, whatwe actually have as things stand is a platform-dependent lower limit.So, change our minds and set the min version to TLSv1.2. Anybodywanting to connect with a new libpq to a pre-2012 server can eitherset ssl_min_protocol_version=TLSv1 or accept the fallback to non-SSL.Back-patch to v13 where the aforementioned patches appeared.Patch by me, reviewed by Daniel GustafssonDiscussion:https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com
1 parente7b476c commit6e682f6

File tree

2 files changed

+4
-4
lines changed

2 files changed

+4
-4
lines changed

‎doc/src/sgml/libpq.sgml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1745,9 +1745,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
17451745
<literal>TLSv1.1</literal>, <literal>TLSv1.2</literal> and
17461746
<literal>TLSv1.3</literal>. The supported protocols depend on the
17471747
version of <productname>OpenSSL</productname> used, older versions
1748-
not supporting the most modern protocol versions. If notset, this
1749-
parameter is ignored andtheconnection will use the minimum bound
1750-
defined by the backend.
1748+
not supporting the most modern protocol versions. If notspecified,
1749+
thedefault is <literal>TLSv1.2</literal>, which satisfies industry
1750+
best practices as of this writing.
17511751
</para>
17521752
</listitem>
17531753
</varlistentry>

‎src/interfaces/libpq/fe-connect.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -320,7 +320,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
320320
"Require-Peer","",10,
321321
offsetof(structpg_conn,requirepeer)},
322322

323-
{"ssl_min_protocol_version","PGSSLMINPROTOCOLVERSION",NULL,NULL,
323+
{"ssl_min_protocol_version","PGSSLMINPROTOCOLVERSION","TLSv1.2",NULL,
324324
"SSL-Minimum-Protocol-Version","",8,/* sizeof("TLSv1.x") == 8 */
325325
offsetof(structpg_conn,ssl_min_protocol_version)},
326326

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp