Re: [HACKERS] [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.

Sun, 26 Jan 2014 02:11:47 -0800 

On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
> Stephen Frost escribió:
>> * Noah Misch (n...@leadboat.com) wrote:
>>> +1.  If you can upgrade to 9.4, you can also bring your TLS protocol out of
>>> the iron age.
>>
>> Agreed- this was going to be my 2c.  Anyone w/ an SSL library that old
>> isn't likely to be upgrading to 9.4 of libpq or PG.
> 
> What about people doing SSL connections through JDBC?  As far as I
> understand, these don't use openssl.

That's correct, PgJDBC uses Java's built-in SSL support, which is
provided by the underlying JSSE ("Java Secure Socket Extension") service
in the JVM.

>From what I can find, it looks like Java 1.4.2 and newer, including Java
5, appear to support TLS 1.0. I haven't found anything definitive for
1.4.2 yet, but 1.5 certainly supports it.

That's all we need to care about IMO; 1.4.x users are running
unsupported and old PgJDBC versions (we dropped support for 1.4) and
they're generally happy living in the stone age.

So I don't see Java as a barrier here.

----

Finding a good reference on which Java runtimes support which features
is surprisingly hard.

Java 6 supports TLS. It took a bit to confirm that 1.5 does too. 1.4.2
may, but we don't need to care.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

claims:

"The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0
and TLS 1.0"

... but in the table "Default Enabled Cipher Suites" in:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Java 1.4.2 and newer are shown to support by default:

 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA

... and a bunch of SSL_ stuff.

so it looks like TLS support has probably been backpacked to 1.4.2. Java
1.4 is PostgreSQL 7.2 vintage, well into "we don't care, go away" land.

BTW, the JSSE docs also claim that "TLS 1.0 is a modest upgrade to the
most recent version of SSL, version 3.0. The differences between SSL 3.0
and TLS 1.0 are minor".


-- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to