Responding to the recent thread on bumping the default TLS version, I realized that we don't have a way to set the minimum/maximum TLS protocol version in clientside libpq. Setting the maximum protocol version obviously not terribly important (possibly with the exception of misbehaving middle-boxes and testing), but the minimum version can be quite useful to avoid misbehaving and/or misconfigured servers etc.
The attached patch implements two new connection string variables for minimum and maximum TLS protocol version, mimicking how it's done in the backend. This does duplicate a bit of code from be-secure-openssl.c to cope with older versions of OpenSSL, but it seemed a too trivial duplication to create common/openssl.c (but others might disagree). This can today be achieved by editing the local openssl configuration, but having an override in libpq to tighten down the connection parameters make it far easier for the user/application IMO. cheers ./daniel
libpq_minmaxproto.patch
Description: Binary data
