<p dir="ltr"><br /> On Oct 19, 2014 9:18 PM, "Tom Lane" <<a
href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>>wrote:<br /> ><br /> > Magnus Hagander <<a
href="mailto:magnus@hagander.net">magnus@hagander.net</a>>writes:<br /> > > On Sun, Oct 19, 2014 at 6:17 PM,
TomLane <<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>> wrote:<br /> > >> And in the end, if
weset values like this from PG --- whether<br /> > >> hard-wired or via a GUC --- the SSL library people will
haveexactly<br /> > >> the same perspective with regards to *our* values. And not without<br /> > >>
reason;we were forcing very obsolete settings up till recently,<br /> > >> because nobody had looked at the
issuefor a decade. I see no reason<br /> > >> to expect that that history won't repeat itself.<br /> ><br
/>> > The best part would be if we could just leave it up to the SSL<br /> > > library, but at least the
opensslone doesn't have an API that lets us<br /> > > do that, right? We *have* to pick something...<br />
><br/> > As far as protocol version goes, I think our existing coding basically<br /> > says "prefer newest
availableversion, but at least TLS 1.0". I think<br /> > that's probably a reasonable approach.<br /> ><br /><p
dir="ltr">Yes,it does that. Though it only does it on 9.4,but with the facts we know now, what 9.4+ does is perfectly
safe.<p dir="ltr">/Magnus