open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update minimum SSL version

Browse Source 
Change default of ssl_min_protocol_version to TLSv1.2 (from TLSv1,
which means 1.0).  Older versions are still supported, just not by
default.

TLS 1.0 is widely deprecated, and TLS 1.1 only slightly less so.  All
OpenSSL versions that support TLS 1.1 also support TLS 1.2, so there
would be very little reason to, say, set the default to TLS 1.1
instead on grounds of better compatibility.

The test suite overrides this new setting, so it can still run with
older OpenSSL versions.

Discussion: https://www.postgresql.org/message-id/flat/b327f8df-da98-054d-0cc5-b76a857cfed9%402ndquadrant.com
pull/44/head
Peter Eisentraut 6 years ago
parent 4af77aa797
commit b1abfec825
4 changed files with 8 additions and 6 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 6
      doc/src/sgml/config.sgml
  2. 2
      src/backend/utils/misc/guc.c
  3. 2
      src/backend/utils/misc/postgresql.conf.sample
  4. 4
      src/test/ssl/t/SSLServer.pm

6
doc/src/sgml/config.sgml
Unescape View File

@ -1365,10 +1365,8 @@ include_dir 'conf.d'
</para> </para>
<para> <para>
The default is <literal>TLSv1</literal>, mainly to support older The default is <literal>TLSv1.2</literal>, which satisfies industry
versions of the <productname>OpenSSL</productname> library. You might best practices as of this writing.
want to set this to a higher value if all software components can
support the newer protocol versions.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
src/backend/utils/misc/guc.c
Unescape View File

@ -4573,7 +4573,7 @@ static struct config_enum ConfigureNamesEnum[] =
GUC_SUPERUSER_ONLY GUC_SUPERUSER_ONLY
}, },
&ssl_min_protocol_version, &ssl_min_protocol_version,
PG_TLS1_VERSION, PG_TLS1_2_VERSION,
ssl_protocol_versions_info + 1, /* don't allow PG_TLS_ANY */ ssl_protocol_versions_info + 1, /* don't allow PG_TLS_ANY */
NULL, NULL, NULL NULL, NULL, NULL
}, },

2
src/backend/utils/misc/postgresql.conf.sample
Unescape View File

@ -105,7 +105,7 @@
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on #ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1' #ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1' #ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = '' #ssl_max_protocol_version = ''
#ssl_dh_params_file = '' #ssl_dh_params_file = ''
#ssl_passphrase_command = '' #ssl_passphrase_command = ''

4
src/test/ssl/t/SSLServer.pm
Unescape View File

@ -132,6 +132,10 @@ sub configure_test_server_for_ssl
print $conf "listen_addresses='$serverhost'\n"; print $conf "listen_addresses='$serverhost'\n";
print $conf "log_statement=all\n"; print $conf "log_statement=all\n";
# Accept even old TLS versions so that builds with older OpenSSL
# can run the test suite.
print $conf "ssl_min_protocol_version='TLSv1'\n";
# enable SSL and set up server key # enable SSL and set up server key
print $conf "include 'sslconfig.conf'\n"; print $conf "include 'sslconfig.conf'\n";

Write Preview
Loading…
Cancel
Save