Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.

Поиск
Список
Период
Сортировка
От Craig Ringer
Тема Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.
Дата
Msg-id 52E4DF1E.2030006@2ndquadrant.com
обсуждение исходный текст
Ответ на Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.  (Alvaro Herrera <alvherre@2ndquadrant.com>)
Список pgsql-hackers
Дерево обсуждения 
On 01/26/2014 10:13 AM, Alvaro Herrera wrote:
> Stephen Frost escribió:
>> * Noah Misch (noah@leadboat.com) wrote:
>>> +1.  If you can upgrade to 9.4, you can also bring your TLS protocol out of
>>> the iron age.
>>
>> Agreed- this was going to be my 2c.  Anyone w/ an SSL library that old
>> isn't likely to be upgrading to 9.4 of libpq or PG.
> 
> What about people doing SSL connections through JDBC?  As far as I
> understand, these don't use openssl.

That's correct, PgJDBC uses Java's built-in SSL support, which is
provided by the underlying JSSE ("Java Secure Socket Extension") service
in the JVM.

From what I can find, it looks like Java 1.4.2 and newer, including Java
5, appear to support TLS 1.0. I haven't found anything definitive for
1.4.2 yet, but 1.5 certainly supports it.

That's all we need to care about IMO; 1.4.x users are running
unsupported and old PgJDBC versions (we dropped support for 1.4) and
they're generally happy living in the stone age.

So I don't see Java as a barrier here.

----

Finding a good reference on which Java runtimes support which features
is surprisingly hard.

Java 6 supports TLS. It took a bit to confirm that 1.5 does too. 1.4.2
may, but we don't need to care.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

claims:

"The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0
and TLS 1.0"

... but in the table "Default Enabled Cipher Suites" in:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Java 1.4.2 and newer are shown to support by default:

TLS_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA

... and a bunch of SSL_ stuff.

so it looks like TLS support has probably been backpacked to 1.4.2. Java
1.4 is PostgreSQL 7.2 vintage, well into "we don't care, go away" land.

BTW, the JSSE docs also claim that "TLS 1.0 is a modest upgrade to the
most recent version of SSL, version 3.0. The differences between SSL 3.0
and TLS 1.0 are minor".


-- Craig Ringer                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Simon Riggs
Дата:
Сообщение: Re: plpgsql.warn_shadow
Следующее
От: Magnus Hagander
Дата:
Сообщение: Re: Visual Studio 2013 build