Re: settings to control SSL/TLS protocol version

On Mon, Oct 1, 2018 at 4:21 PM Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> There have been some requests to be able to select the TLS versions
> PostgreSQL is using.  We currently only hardcode that SSLv2 and SSLv3
> are disabled, but there is also some interest now in disabling TLSv1.0
> and TLSv1.1.  Also, I've had some issues in some combinations with the
> new TLSv1.3, so there is perhaps also some use for disabling at the top end.
>
> Attached is a patch that implements this.  For example:
>
>     ssl_min_protocol_version = 'TLSv1'
>     ssl_max_protocol_version = 'any'

+1.  Maybe it would make sense to spell 'any' as the empty string.
Intuitively, it makes more sense to me to think about there being no
maximum than to think about the maximum being anything.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company