Robert Haas <> writes:
> I don't think it's true that we force the latest TLS version to be
> used.  The comment says:

>         /*
>          * We use SSLv23_method() because it can negotiate use of the highest
>          * mutually supported protocol version, while alternatives like
>          * TLSv1_2_method() permit only one specific version.  Note
> that we don't
>          * actually allow SSL v2 or v3, only TLS protocols (see below).
>          */

> IIUC, this is specifically so that we don't force the use of TLS 1.2
> or TLS 1.1 or TLS 1.0.

Right.  IIUC, there's no way (at least in older OpenSSL versions) to say
directly "we only want TLS >= 1.0", so we have to do it like this.
I found a comment on the web saying "SSLv23_method would be better named
AutoNegotiate_method", which seems accurate.

                        regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to