Change libpq's default ssl_min_protocol_version to TLSv1.2.
When we initially created this parameter, in commit ff8ca5fad
, we left
the default as "allow any protocol version" on grounds of backwards
compatibility. However, that's inconsistent with the backend's default
since b1abfec82; protocol versions prior to 1.2 are not considered very
secure; and OpenSSL has had TLSv1.2 support since 2012, so the number
of PG servers that need a lesser minimum is probably quite small.
On top of those things, it emerges that some popular distros (including
Debian and RHEL) set MinProtocol=TLSv1.2 in openssl.cnf. Thus, far
from having "allow any protocol version" behavior in practice, what
we actually have as things stand is a platform-dependent lower limit.
So, change our minds and set the min version to TLSv1.2. Anybody
wanting to connect with a new libpq to a pre-2012 server can either
set ssl_min_protocol_version=TLSv1 or accept the fallback to non-SSL.
Back-patch to v13 where the aforementioned patches appeared.
Patch by me, reviewed by Daniel Gustafsson
Discussion: https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com
This commit is contained in:
parent
e7b476c657
commit
6e682f61a5
|
@ -1745,9 +1745,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
|
|||
<literal>TLSv1.1</literal>, <literal>TLSv1.2</literal> and
|
||||
<literal>TLSv1.3</literal>. The supported protocols depend on the
|
||||
version of <productname>OpenSSL</productname> used, older versions
|
||||
not supporting the most modern protocol versions. If not set, this
|
||||
parameter is ignored and the connection will use the minimum bound
|
||||
defined by the backend.
|
||||
not supporting the most modern protocol versions. If not specified,
|
||||
the default is <literal>TLSv1.2</literal>, which satisfies industry
|
||||
best practices as of this writing.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
|
@ -320,7 +320,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
|
|||
"Require-Peer", "", 10,
|
||||
offsetof(struct pg_conn, requirepeer)},
|
||||
|
||||
{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
|
||||
{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", "TLSv1.2", NULL,
|
||||
"SSL-Minimum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */
|
||||
offsetof(struct pg_conn, ssl_min_protocol_version)},
|
||||
|
||||
|
|
Loading…
Reference in New Issue