On Fri, Nov 29, 2019 at 9:44 PM Michael Paquier <mich...@paquier.xyz> wrote: > Actually, no, what I am writing here is incorrect. We should make > sure of that the default configuration is correct at initdb time, and > the patch does not do that.
I think that would be overkill. There shouldn't be many people who are running with a version of PostgreSQL that is 8 years newer than the version of OpenSSL they are using, and who are also relying on SSL, and even if there are such people, it's a pretty minor configuration change to make it work. However, it would be worth putting in some effort to make sure that we give a good error message if this happens. I'm not sure how practical that is. But there's a big difference between giving an incomprehensible OpenSSL message that says "things aren't working and good luck figuring out why" and giving a message that says something like: ERROR: ssl_min_protocol_version specifies TLSv1.2, but your OpenSSL library does not support protocol versions beyond TLSv1.1 -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
