I wrote: > libpq versions before 9.4 will only accept TLSv1 exactly. In 9.4 it > should negotiate the highest TLS version supported by both server and > client.
> I don't recall why we didn't back-patch that change, probably excessive > concern for backwards compatibility ... but anyway, AFAICS from the git > logs, it's not in 9.3.x. I think you could get TLS 1.2 from a 9.3 server > and 9.4 libpq, if that helps. Looking back at the discussions, it seems the reason we only changed HEAD is that the change to let libpq negotiate TLS > v1 got conflated with modifying the server to reject SSL v3. See threads here: http://www.postgresql.org/message-id/flat/[email protected]#[email protected] http://www.postgresql.org/message-id/flat/[email protected] and particularly commits 820f08cabdcbb899 and 326e1d73c476a0b5. I think this was probably a mistake. I suggest that in the back branches we should leave the server alone (rejecting SSL v3 might annoy somebody using old non-libpq clients) but adjust libpq to use SSLv23_method() plus SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3. IOW, back-patch 820f08cabdcbb899, though perhaps also the comment adjustments in 326e1d73c476a0b5. This would have the effect of allowing libpq to use TLS-anything, not only TLSv1 which is what it's been requiring since 7.3.2. Thoughts? regards, tom lane -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
