</listitem>

</varlistentry>

<varlistentry id="guc-ssl-min-protocol-version" xreflabel="ssl_min_protocol_version">

<term><varname>ssl_min_protocol_version</varname> (<type>enum</type>)

<indexterm>

<primary><varname>ssl_min_protocol_version</varname> configuration parameter</primary>

</indexterm>

</term>

<listitem>

<para>

Sets the minimum SSL/TLS protocol version to use. Valid values are

currently: <literal>TLSv1</literal>, <literal>TLSv1.1</literal>,

<literal>TLSv1.2</literal>, <literal>TLSv1.3</literal>. Older

versions of the <productname>OpenSSL</productname> library do not

support all values; an error will be raised if an unsupported setting

is chosen. Protocol versions before TLS 1.0, namely SSL version 2 and

3, are always disabled.

</para>

<para>

The default is <literal>TLSv1</literal>, mainly to support older

versions of the <productname>OpenSSL</productname> library. You might

want to set this to a higher value if all software components can

support the newer protocol versions.

</para>

</listitem>

</varlistentry>

<varlistentry id="guc-ssl-max-protocol-version" xreflabel="ssl_max_protocol_version">

<term><varname>ssl_max_protocol_version</varname> (<type>enum</type>)

<indexterm>

<primary><varname>ssl_max_protocol_version</varname> configuration parameter</primary>

</indexterm>

</term>

<listitem>

<para>

Sets the maximum SSL/TLS protocol version to use. Valid values are as

for <xref linkend="guc-ssl-min-protocol-version"/>, with addition of

an empty string, which allows any protocol version. The default is to

allow any version. Setting the maximum protocol version is mainly

useful for testing or if some component has issues working with a

newer protocol.

</para>

</listitem>

</varlistentry>

<varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file">

<term><varname>ssl_dh_params_file</varname> (<type>string</type>)

<indexterm>

staticbooldummy_ssl_passwd_cb_called= false;

staticboolssl_is_server_start;

staticintssl_protocol_version_to_openssl(intv,constchar*guc_name);

#if (OPENSSL_VERSION_NUMBER<0x10100000L)

staticintSSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion);

staticintSSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion);

gotoerror;

}

SSL_CTX_set_options(context,SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3);

if (ssl_min_protocol_version)

SSL_CTX_set_min_proto_version(context,

ssl_protocol_version_to_openssl(ssl_min_protocol_version,

"ssl_min_protocol_version"));

if (ssl_max_protocol_version)

SSL_CTX_set_max_proto_version(context,

ssl_protocol_version_to_openssl(ssl_max_protocol_version,

"ssl_max_protocol_version"));

returnresult;

}

ssl_protocol_version_to_openssl(intv,constchar*guc_name)

{

switch (v)

{

casePG_TLS_ANY:

return0;

casePG_TLS1_VERSION:

returnTLS1_VERSION;

casePG_TLS1_1_VERSION:

returnTLS1_1_VERSION;

gotoerror;

casePG_TLS1_2_VERSION:

returnTLS1_2_VERSION;

gotoerror;

casePG_TLS1_3_VERSION:

returnTLS1_3_VERSION;

gotoerror;

}

error:

pg_attribute_unused();

ereport(ERROR,

(errmsg("%s setting %s not supported by this build",

guc_name,

GetConfigOption(guc_name, false, false))));

return-1;

}

#if (OPENSSL_VERSION_NUMBER<0x10100000L)

#error OpenSSL version mismatch

SSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion)

{

intssl_options=SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3;

if (version>TLS1_VERSION)

ssl_options |=SSL_OP_NO_TLSv1;

if (version>TLS1_1_VERSION)

ssl_options |=SSL_OP_NO_TLSv1_1;

if (version>TLS1_2_VERSION)

ssl_options |=SSL_OP_NO_TLSv1_2;

SSL_CTX_set_options(ctx,ssl_options);

return1;/* success */

}

SSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion)

{

intssl_options=0;

AssertArg(version!=0);

if (version<TLS1_1_VERSION)

ssl_options |=SSL_OP_NO_TLSv1_1;

if (version<TLS1_2_VERSION)

ssl_options |=SSL_OP_NO_TLSv1_2;

SSL_CTX_set_options(ctx,ssl_options);

return1;/* success */

}

boolSSLPreferServerCiphers;

intssl_min_protocol_version;

intssl_max_protocol_version;

{NULL,0, false}

};

conststructconfig_enum_entryssl_protocol_versions_info[]= {

{"",PG_TLS_ANY, false},

{"TLSv1",PG_TLS1_VERSION, false},

{"TLSv1.1",PG_TLS1_1_VERSION, false},

{"TLSv1.2",PG_TLS1_2_VERSION, false},

{"TLSv1.3",PG_TLS1_3_VERSION, false},

{NULL,0, false}

};

NULL,NULL,NULL

},

{

{"ssl_min_protocol_version",PGC_SIGHUP,CONN_AUTH_SSL,

gettext_noop("Sets the minimum SSL/TLS protocol version to use."),

NULL,

},

&ssl_min_protocol_version,

PG_TLS1_VERSION,

ssl_protocol_versions_info+1/* don't allow PG_TLS_ANY */,

NULL,NULL,NULL

},

{

{"ssl_max_protocol_version",PGC_SIGHUP,CONN_AUTH_SSL,

gettext_noop("Sets the maximum SSL/TLS protocol version to use."),

NULL,

},

&ssl_max_protocol_version,

PG_TLS_ANY,

ssl_protocol_versions_info,

NULL,NULL,NULL

},

{

{NULL,0,0,NULL,NULL},NULL,0,NULL,NULL,NULL,NULL

#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers

#ssl_prefer_server_ciphers = on

#ssl_ecdh_curve = 'prime256v1'

#ssl_min_protocol_version = 'TLSv1'

#ssl_max_protocol_version = ''

#ssl_dh_params_file = ''

#ssl_passphrase_command = ''

#ssl_passphrase_command_supports_reload = off

externchar*SSLCipherSuites;

externchar*SSLECDHCurve;

externboolSSLPreferServerCiphers;

externintssl_min_protocol_version;

externintssl_max_protocol_version;

{

PG_TLS_ANY=0,

PG_TLS1_VERSION,

PG_TLS1_1_VERSION,

PG_TLS1_2_VERSION,

PG_TLS1_3_VERSION,

};