Re: settings to control SSL/TLS protocol version

On 01/10/2018 23:30, Daniel Gustafsson wrote:
>>    ssl_min_protocol_version = 'TLSv1'
>>    ssl_max_protocol_version = ‘any'
> 
> I don’t think ‘any’ is a clear name for a setting which means “the highest
> supported version”.  How about ‘max_supported’ or something similar?

I can see the argument for an alternative, but your suggestion is a
mouthful.

> +1 for using a min/max approach for setting the version, and it should be
> trivial to add support for in the pending GnuTLS and Secure Transport patches.

AFAICT, in GnuTLS this is done via the "priorities" setting that also
sets the ciphers.  There is no separate API for just the TLS version.
It would be interesting to see how Secure Transport can do it.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services