Re: Postgres and TLSv1.2

Jan Bilek <jan.bilek@eftlab.co.uk> writes:
> We are trying to setup Postgres with TLSv1.2 (undergoing PA:DSS audit), 
> but getting a bit stuck there with Postgres reporting “could not accept 
> SSL connection: no shared cipher”. This is obviously an internal OpenSSL 
> message, but worrying part is that we've had this setup running with the 
> other encryptions and the same certificates without any problems.

> We've been trying to follow documentation from here: 
> http://www.postgresql.org/docs/9.3/static/ssl-tcp.html.

libpq versions before 9.4 will only accept TLSv1 exactly.  In 9.4 it
should negotiate the highest TLS version supported by both server and
client.

I don't recall why we didn't back-patch that change, probably excessive
concern for backwards compatibility ... but anyway, AFAICS from the git
logs, it's not in 9.3.x.  I think you could get TLS 1.2 from a 9.3 server
and 9.4 libpq, if that helps.
        regards, tom lane