Update minimum SSL version

Change default of ssl_min_protocol_version to TLSv1.2 (from TLSv1,
which means 1.0).  Older versions are still supported, just not by
default.

TLS 1.0 is widely deprecated, and TLS 1.1 only slightly less so.  All
OpenSSL versions that support TLS 1.1 also support TLS 1.2, so there
would be very little reason to, say, set the default to TLS 1.1
instead on grounds of better compatibility.

The test suite overrides this new setting, so it can still run with
older OpenSSL versions.

Discussion: https://www.postgresql.org/message-id/flat/b327f8df-da98-054d-0cc5-b76a857cfed9%402ndquadrant.com

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 4ec13f3311cc84f345f78f804fab9b277006a864..53ac14490a1932a4b8d42d263e2ea950b448878c 100644 (file)
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1365,10 +1365,8 @@ include_dir 'conf.d'
        </para>
 
        <para>
-        The default is <literal>TLSv1</literal>, mainly to support older
-        versions of the <productname>OpenSSL</productname> library.  You might
-        want to set this to a higher value if all software components can
-        support the newer protocol versions.
+        The default is <literal>TLSv1.2</literal>, which satisfies industry
+        best practices as of this writing.
        </para>
       </listitem>
      </varlistentry>

diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 5fccc9683ee967e9ea72db43bbcc3485974853d6..ba74bf9f7dc25ccd2a929a5c7917f549f35b4c46 100644 (file)
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4573,7 +4573,7 @@ static struct config_enum ConfigureNamesEnum[] =
            GUC_SUPERUSER_ONLY
        },
        &ssl_min_protocol_version,
-       PG_TLS1_VERSION,
+       PG_TLS1_2_VERSION,
        ssl_protocol_versions_info + 1, /* don't allow PG_TLS_ANY */
        NULL, NULL, NULL
    },

diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 46a06ffacd4db0464afcfb2010d4b80ec411a9e6..9541879c1facb958f3ba01c62c847d308a8ac8d6 100644 (file)
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -105,7 +105,7 @@
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
-#ssl_min_protocol_version = 'TLSv1'
+#ssl_min_protocol_version = 'TLSv1.2'
 #ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''

diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index 005955a2ff736ea094c4bee504c47a66f8566026..26b5964f4fe23a93d9663203c53ae384a6d66a83 100644 (file)
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -132,6 +132,10 @@ sub configure_test_server_for_ssl
    print $conf "listen_addresses='$serverhost'\n";
    print $conf "log_statement=all\n";
 
+   # Accept even old TLS versions so that builds with older OpenSSL
+   # can run the test suite.
+   print $conf "ssl_min_protocol_version='TLSv1'\n";
+
    # enable SSL and set up server key
    print $conf "include 'sslconfig.conf'\n";