Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb1abfec

Browse files
committed
Update minimum SSL version
Change default of ssl_min_protocol_version to TLSv1.2 (from TLSv1,which means 1.0). Older versions are still supported, just not bydefault.TLS 1.0 is widely deprecated, and TLS 1.1 only slightly less so. AllOpenSSL versions that support TLS 1.1 also support TLS 1.2, so therewould be very little reason to, say, set the default to TLS 1.1instead on grounds of better compatibility.The test suite overrides this new setting, so it can still run witholder OpenSSL versions.Discussion:https://www.postgresql.org/message-id/flat/b327f8df-da98-054d-0cc5-b76a857cfed9%402ndquadrant.com
1 parent4af77aa commitb1abfec

File tree

4 files changed

+8
-6
lines changed

4 files changed

+8
-6
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1365,10 +1365,8 @@ include_dir 'conf.d'
13651365
</para>
13661366

13671367
<para>
1368-
The default is <literal>TLSv1</literal>, mainly to support older
1369-
versions of the <productname>OpenSSL</productname> library. You might
1370-
want to set this to a higher value if all software components can
1371-
support the newer protocol versions.
1368+
The default is <literal>TLSv1.2</literal>, which satisfies industry
1369+
best practices as of this writing.
13721370
</para>
13731371
</listitem>
13741372
</varlistentry>

‎src/backend/utils/misc/guc.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4573,7 +4573,7 @@ static struct config_enum ConfigureNamesEnum[] =
45734573
GUC_SUPERUSER_ONLY
45744574
},
45754575
&ssl_min_protocol_version,
4576-
PG_TLS1_VERSION,
4576+
PG_TLS1_2_VERSION,
45774577
ssl_protocol_versions_info+1,/* don't allow PG_TLS_ANY */
45784578
NULL,NULL,NULL
45794579
},

‎src/backend/utils/misc/postgresql.conf.sample

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@
105105
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
106106
#ssl_prefer_server_ciphers = on
107107
#ssl_ecdh_curve = 'prime256v1'
108-
#ssl_min_protocol_version = 'TLSv1'
108+
#ssl_min_protocol_version = 'TLSv1.2'
109109
#ssl_max_protocol_version = ''
110110
#ssl_dh_params_file = ''
111111
#ssl_passphrase_command = ''

‎src/test/ssl/t/SSLServer.pm

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,10 @@ sub configure_test_server_for_ssl
132132
print$conf"listen_addresses='$serverhost'\n";
133133
print$conf"log_statement=all\n";
134134

135+
# Accept even old TLS versions so that builds with older OpenSSL
136+
# can run the test suite.
137+
print$conf"ssl_min_protocol_version='TLSv1'\n";
138+
135139
# enable SSL and set up server key
136140
print$conf"include 'sslconfig.conf'\n";
137141

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp