Re: [PATCH] add ssl_protocols configuration option

Dag-Erling Smørgrav <des@des.no> writes:

> Alex Shulgin <ash@commandprompt.com> writes:
>> * The patch works as advertised, though the only way to verify that
>>   connections made with the protocol disabled by the GUC are indeed
>>   rejected is to edit fe-secure-openssl.c to only allow specific TLS
>>   versions.  Adding configuration on the libpq side as suggested in the
>>   original discussion might help here.
>
> I can easily do that, but I won't have time until next week or so.

I can do that too, just need a hint where to look at in libpq/psql to
add the option.

For SSL we have sslmode and sslcompression, etc. in conninfo, so adding
sslprotocols seems to be an option.  As an aside note: should we also
expose a parameter to choose SSL ciphers (would be a separate patch)?

--
Alex