diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2019-12-04 21:40:17 +0100 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2019-12-04 22:07:43 +0100 |
| commit | b1abfec825472434ea445b9700eaa80cde9da86a (patch) | |
| tree | c73220c97d804582edc6d23e92713e5bbeb84681 /src | |
| parent | 4af77aa797d95f9f77d7b88a41b4e02bc62d8975 (diff) | |
| download | postgresql-b1abfec825472434ea445b9700eaa80cde9da86a.tar.gz postgresql-b1abfec825472434ea445b9700eaa80cde9da86a.zip | |
Update minimum SSL version
Change default of ssl_min_protocol_version to TLSv1.2 (from TLSv1,
which means 1.0). Older versions are still supported, just not by
default.
TLS 1.0 is widely deprecated, and TLS 1.1 only slightly less so. All
OpenSSL versions that support TLS 1.1 also support TLS 1.2, so there
would be very little reason to, say, set the default to TLS 1.1
instead on grounds of better compatibility.
The test suite overrides this new setting, so it can still run with
older OpenSSL versions.
Discussion: https://www.postgresql.org/message-id/flat/b327f8df-da98-054d-0cc5-b76a857cfed9%402ndquadrant.com
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/utils/misc/guc.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 2 | ||||
| -rw-r--r-- | src/test/ssl/t/SSLServer.pm | 4 |
3 files changed, 6 insertions, 2 deletions
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 5fccc9683ee..ba74bf9f7dc 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4573,7 +4573,7 @@ static struct config_enum ConfigureNamesEnum[] = GUC_SUPERUSER_ONLY }, &ssl_min_protocol_version, - PG_TLS1_VERSION, + PG_TLS1_2_VERSION, ssl_protocol_versions_info + 1, /* don't allow PG_TLS_ANY */ NULL, NULL, NULL }, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 46a06ffacd4..9541879c1fa 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -105,7 +105,7 @@ #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' -#ssl_min_protocol_version = 'TLSv1' +#ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm index 005955a2ff7..26b5964f4fe 100644 --- a/src/test/ssl/t/SSLServer.pm +++ b/src/test/ssl/t/SSLServer.pm @@ -132,6 +132,10 @@ sub configure_test_server_for_ssl print $conf "listen_addresses='$serverhost'\n"; print $conf "log_statement=all\n"; + # Accept even old TLS versions so that builds with older OpenSSL + # can run the test suite. + print $conf "ssl_min_protocol_version='TLSv1'\n"; + # enable SSL and set up server key print $conf "include 'sslconfig.conf'\n"; |