Re: settings to control SSL/TLS protocol version

2018-11-20 Thread Peter Eisentraut
On 04/11/2018 04:24, Steve Singer wrote: > The feature seems useful a lot of application servers are implementing > minimal TLS protocol versions. > I don't see a way to restrict libpq to only connect with certain protocol > versions. Maybe that is a separate patch but it would make this feature

Re: settings to control SSL/TLS protocol version

2018-11-05 Thread Michael Paquier
On Mon, Nov 05, 2018 at 03:01:58PM -0500, Robert Haas wrote: > +1. Maybe it would make sense to spell 'any' as the empty string. > Intuitively, it makes more sense to me to think about there being no > maximum than to think about the maximum being anything. I have looked at the code a bit yesterd

settings to control SSL/TLS protocol version

2018-11-05 Thread David G. Johnston
On Monday, November 5, 2018, David Fetter wrote: > On Mon, Nov 05, 2018 at 03:01:58PM -0500, Robert Haas wrote: > > On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut > > wrote: > > > > > > Attached is a patch that implements this. For example: > > > > > > ssl_min_protocol_version = 'TLSv1' >

Re: settings to control SSL/TLS protocol version

2018-11-05 Thread David Fetter
On Mon, Nov 05, 2018 at 03:01:58PM -0500, Robert Haas wrote: > On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut > wrote: > > There have been some requests to be able to select the TLS versions > > PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3 > > are disabled, but there is a

Re: settings to control SSL/TLS protocol version

2018-11-05 Thread Robert Haas
On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut wrote: > There have been some requests to be able to select the TLS versions > PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3 > are disabled, but there is also some interest now in disabling TLSv1.0 > and TLSv1.1. Also, I've h

Re: settings to control SSL/TLS protocol version

2018-11-03 Thread Steve Singer
The following review has been posted through the commitfest application: make installcheck-world: tested, passed Implements feature: tested, passed Spec compliant: not tested Documentation:tested, passed I've reviewed the patch and here are my comments. The feature se

Re: settings to control SSL/TLS protocol version

2018-10-02 Thread Daniel Gustafsson
> On 2 Oct 2018, at 14:23, Peter Eisentraut > wrote: > > On 01/10/2018 23:30, Daniel Gustafsson wrote: >>> ssl_min_protocol_version = 'TLSv1' >>> ssl_max_protocol_version = ‘any' >> >> I don’t think ‘any’ is a clear name for a setting which means “the highest >> supported version”. How abo

Re: settings to control SSL/TLS protocol version

2018-10-02 Thread Peter Eisentraut
On 01/10/2018 23:30, Daniel Gustafsson wrote: >>ssl_min_protocol_version = 'TLSv1' >>ssl_max_protocol_version = ‘any' > > I don’t think ‘any’ is a clear name for a setting which means “the highest > supported version”. How about ‘max_supported’ or something similar? I can see the argumen

Re: settings to control SSL/TLS protocol version

2018-10-01 Thread Daniel Gustafsson
> On 1 Oct 2018, at 22:21, Peter Eisentraut > wrote: > > There have been some requests to be able to select the TLS versions > PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3 > are disabled, but there is also some interest now in disabling TLSv1.0 > and TLSv1.1. Also, I've

settings to control SSL/TLS protocol version

2018-10-01 Thread Peter Eisentraut
24x7 Support, Remote DBA, Training & Services From 768ccf861b6904baa25a601a09c5e440f3f62cca Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Mon, 1 Oct 2018 21:43:30 +0200 Subject: [PATCH] Add settings to control SSL/TLS protocol version For example: ssl_min_protocol_version = 'T