Dag-Erling Smørgrav <des@des.no> writes:
> Alex Shulgin <ash@commandprompt.com> writes:
>> * The patch works as advertised, though the only way to verify that
>> connections made with the protocol disabled by the GUC are indeed
>> rejected is to edit fe-secure-openssl.c to only allow specific TLS
>> versions. Adding configuration on the libpq side as suggested in the
>> original discussion might help here.
>
> I can easily do that, but I won't have time until next week or so.
I can do that too, just need a hint where to look at in libpq/psql to
add the option.
For SSL we have sslmode and sslcompression, etc. in conninfo, so adding
sslprotocols seems to be an option. As an aside note: should we also
expose a parameter to choose SSL ciphers (would be a separate patch)?
--
Alex