> On 2 Oct 2018, at 14:23, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
>
> On 01/10/2018 23:30, Daniel Gustafsson wrote:
>>> ssl_min_protocol_version = 'TLSv1'
>>> ssl_max_protocol_version = ‘any'
>>
>> I don’t think ‘any’ is a clear name for a setting which means “the highest
>> supported version”. How about ‘max_supported’ or something similar?
>
> I can see the argument for an alternative, but your suggestion is a
> mouthful.
Agreed, but I can’t think of a better wording. Perhaps just ‘tls_max’?
>> +1 for using a min/max approach for setting the version, and it should be
>> trivial to add support for in the pending GnuTLS and Secure Transport patches.
>
> AFAICT, in GnuTLS this is done via the "priorities" setting that also
> sets the ciphers. There is no separate API for just the TLS version.
> It would be interesting to see how Secure Transport can do it.
Secure Transport has a fairly neat API for this, SSLSetProtocolVersionMax() and
SSLSetProtocolVersionMin() (available since Lion).
cheers ./daniel