On 2019-12-02 17:39, Tom Lane wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> ... However, it would be worth putting in some
>> effort to make sure that we give a good error message if this happens.
>
> That's an excellent point, but it looks like we're pretty good
> already. I tried the patch with openssl 0.9.8x, and got this
> failure at server start:
>
> FATAL: ssl_min_protocol_version setting TLSv1.2 not supported by this build
That's the easy part, since it's under our control. The other situation
is if you connect with an old library to a newer server that has the
raised ssl_min_protocol_version setting. Then you get something like this:
psql: SSL error: tlsv1 alert protocol version
and on the server:
LOG: could not accept SSL connection: unsupported protocol
Not great, but usable.
(What actually happens due to the default of PGSSLMODE=prefer is that
psql/libpq will have the SSL connection attempt rejected and will
connect using a non-SSL connection.)
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services