On 2020-06-24 10:33, Daniel Gustafsson wrote:
In PG13, we raised the server-side default of ssl_min_protocol_version to
TLSv1.2. We also added a connection setting named ssl_min_protocol_version to
libpq. But AFAICT, the default value of the libpq setting is empty, so any
protocol version will be accepted. Is this what we wanted? Should we raise
the default in libpq as well?
This was discussed [0] when the connection settings were introduced, and the
concensus was to leave them alone [1] to allow for example a new pg_dump to
work against an old server. Re-reading the thread I think the argument still
holds, but I was about to respond "yes, let's do this" before refreshing my
memory. Perhaps we should add a comment explaining this along the lines of the
attached?
[0]
https://www.postgresql.org/message-id/157800160408.1198.1714906047977693148.pgcf%40coridan.postgresql.org
[1] https://www.postgresql.org/message-id/31993.1578321474%40sss.pgh.pa.us
ISTM that these discussions went through the same questions and
arguments that were made regarding the server-side change but arrived at
a different conclusion. So I suggest to reconsider this so that we
don't ship with contradictory results.
That doesn't necessarily mean that we have to make a change, but we
should make sure our rationale is sound.
Note that all OpenSSL versions that do not support TLSv1.2 also do not
support TLSv1.1. So by saying, in effect, that TLSv1.2 is too new to
require, we are saying that we need to keep supporting TLSv1.0 -- which
is heavily deprecated. Also note that the first OpenSSL version with
support for TLSv1.2 shipped on March 14, 2012.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
