Re: TLS 1.0

Ehtesham Pradhan <ehtesham.pradhan@lookout.com> writes:
> Our client is using  Version : PostgreSQL 9.6.17 , they have done vulnerability
> assessment and found that :

>    - TLS version 1.0 Protocol detection
>    - The remote service encrypt traffic with older version of TLS

This is mostly a matter of whether the OpenSSL libraries being used on
both ends are up-to-date.  If you were using PG 12 or later you could
set the server parameter ssl_min_protocol_version to enforce whatever
policy you want about minimum TLS version.  But in 9.6.x it's going
to be strictly a matter of what OpenSSL wants to do.  Check the
system-wide OpenSSL configuration on each end, and update OpenSSL
if necessary.  At least with reasonably modern OpenSSL, you should
be able to enforce a minimum TLS version in OpenSSL's config
(see MinProtocol).

            regards, tom lane