On 2019-12-02 17:39, Tom Lane wrote:
Robert Haas <robertmh...@gmail.com> writes:
... However, it would be worth putting in some
effort to make sure that we give a good error message if this happens.
That's an excellent point, but it looks like we're pretty good
already. I tried the patch with openssl 0.9.8x, and got this
failure at server start:
FATAL: ssl_min_protocol_version setting TLSv1.2 not supported by this build
That's the easy part, since it's under our control. The other situation
is if you connect with an old library to a newer server that has the
raised ssl_min_protocol_version setting. Then you get something like this:
psql: SSL error: tlsv1 alert protocol version
and on the server:
LOG: could not accept SSL connection: unsupported protocol
Not great, but usable.
(What actually happens due to the default of PGSSLMODE=prefer is that
psql/libpq will have the SSL connection attempt rejected and will
connect using a non-SSL connection.)
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
