> On 1 Oct 2018, at 22:21, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> > wrote: > > There have been some requests to be able to select the TLS versions > PostgreSQL is using. We currently only hardcode that SSLv2 and SSLv3 > are disabled, but there is also some interest now in disabling TLSv1.0 > and TLSv1.1. Also, I've had some issues in some combinations with the > new TLSv1.3, so there is perhaps also some use for disabling at the top end. > > Attached is a patch that implements this. For example: > > ssl_min_protocol_version = 'TLSv1' > ssl_max_protocol_version = ‘any'
I don’t think ‘any’ is a clear name for a setting which means “the highest supported version”. How about ‘max_supported’ or something similar? > For reference, here is similar functionality implemented elsewhere: > > https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols > https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol > > Unlike those two, which offer a list of protocols to use, I have gone > with min and max settings. FWIW, libcurl also supports a min/max approach with CURLOPT_SSLVERSION: https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html +1 for using a min/max approach for setting the version, and it should be trivial to add support for in the pending GnuTLS and Secure Transport patches. cheers ./daniel
