Re: should libpq also require TLSv1.2 by default?

> On 24 Jun 2020, at 10:46, Magnus Hagander <magnus@hagander.net> wrote:

> It might also be worth noting that it's not really "any protocol version", it means it will be "whatever the openssl
configurationsays", I think? For example, debian buster sets: 
>
> [system_default_sect]
> MinProtocol = TLSv1.2
>
> Which I believe means that if your libpq app is running on debian buster, it will be min v1.2 already

Correct, that being said I'm not sure how common it is for distributions to set
a default protocol version.  The macOS versions I have handy doesn't enforce a
default version, nor does Ubuntu 20.04, FreeBSD 12 or OpenBSD 6.5 AFAICT.

> (and it would likely be more useful to use ssl_min_protocol_version to *lower* that when connecting to older
servers).

That is indeed one use-case for the connection parameter.

cheers ./daniel