opensourcemirror
/
postgresql
mirror of git://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Change libpq's default ssl_min_protocol_version to TLSv1.2. 

When we initially created this parameter, in commit ff8ca5fad, we left
the default as "allow any protocol version" on grounds of backwards
compatibility.  However, that's inconsistent with the backend's default
since b1abfec82; protocol versions prior to 1.2 are not considered very
secure; and OpenSSL has had TLSv1.2 support since 2012, so the number
of PG servers that need a lesser minimum is probably quite small.

On top of those things, it emerges that some popular distros (including
Debian and RHEL) set MinProtocol=TLSv1.2 in openssl.cnf.  Thus, far
from having "allow any protocol version" behavior in practice, what
we actually have as things stand is a platform-dependent lower limit.

So, change our minds and set the min version to TLSv1.2.  Anybody
wanting to connect with a new libpq to a pre-2012 server can either
set ssl_min_protocol_version=TLSv1 or accept the fallback to non-SSL.

Back-patch to v13 where the aforementioned patches appeared.

Patch by me, reviewed by Daniel Gustafsson

Discussion: https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com
This commit is contained in:
Tom Lane 2020-06-27 12:20:33 -04:00
parent e7b476c657
commit 6e682f61a5
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/src/sgml/libpq.sgml
View File

@ -1745,9 +1745,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<literal>TLSv1.1</literal>, <literal>TLSv1.2</literal> and
<literal>TLSv1.3</literal>. The supported protocols depend on the
version of <productname>OpenSSL</productname> used, older versions
not supporting the most modern protocol versions. If not set, this
parameter is ignored and the connection will use the minimum bound
defined by the backend.
not supporting the most modern protocol versions. If not specified,
the default is <literal>TLSv1.2</literal>, which satisfies industry
best practices as of this writing.
</para>
</listitem>
</varlistentry>

2
src/interfaces/libpq/fe-connect.c
View File

@ -320,7 +320,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"Require-Peer", "", 10,
offsetof(struct pg_conn, requirepeer)},
{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", "TLSv1.2", NULL,
"SSL-Minimum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */
offsetof(struct pg_conn, ssl_min_protocol_version)},