2 files changed, 35 insertions, 0 deletions

diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 7e9e8c642bf..19c678f596f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -428,6 +428,15 @@ static const struct config_enum_entry password_encryption_options[] = {
 	{NULL, 0, false}
 };
 
+const struct config_enum_entry ssl_protocol_versions_info[] = {
+	{"", PG_TLS_ANY, false},
+	{"TLSv1", PG_TLS1_VERSION, false},
+	{"TLSv1.1", PG_TLS1_1_VERSION, false},
+	{"TLSv1.2", PG_TLS1_2_VERSION, false},
+	{"TLSv1.3", PG_TLS1_3_VERSION, false},
+	{NULL, 0, false}
+};
+
 /*
  * Options for enum values stored in other modules
  */
@@ -4193,6 +4202,30 @@ static struct config_enum ConfigureNamesEnum[] =
 		NULL, NULL, NULL
 	},
 
+	{
+		{"ssl_min_protocol_version", PGC_SIGHUP, CONN_AUTH_SSL,
+			gettext_noop("Sets the minimum SSL/TLS protocol version to use."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&ssl_min_protocol_version,
+		PG_TLS1_VERSION,
+		ssl_protocol_versions_info + 1 /* don't allow PG_TLS_ANY */,
+		NULL, NULL, NULL
+	},
+
+	{
+		{"ssl_max_protocol_version", PGC_SIGHUP, CONN_AUTH_SSL,
+			gettext_noop("Sets the maximum SSL/TLS protocol version to use."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&ssl_max_protocol_version,
+		PG_TLS_ANY,
+		ssl_protocol_versions_info,
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, 0, NULL, NULL, NULL, NULL
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index ab063dae419..26d5c4c9677 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -103,6 +103,8 @@
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off