Dag-Erling Smørgrav <des@des.no> writes:
> Alvaro Herrera <alvherre@2ndquadrant.com> writes:
>> OpenSSL 0.9.7 has already not gotten fixes for all the latest flurry of
>> security issues, so anyone *is* using SSL but not at least the 0.9.8
>> branch, they are in trouble.
> The latest 0.9.8 still only has TLS 1.0, unless they're planning to
> backport 1.1 and 1.2 (which I seriously doubt).
The upshot of this conversation still seems to be that we don't need to
do anything. Unless I'm misunderstanding something:
(1) No currently supported (or even recently supported) version of either
the backend or libpq will select protocol less than TLS 1.0 unless forced
to via (poorly chosen) configuration settings.
(2) Anyone who is feeling paranoid about shutting off SSLv3 despite (1)
can do so via the existing ssl_ciphers GUC parameter.
Seems to me that's sufficient, not only for now but for the future;
existing OpenSSL practice is that the ciphers string includes categories
corresponding to protocol versions, so you can shut off an old
protocol version there if you need to.
regards, tom lane