On Oct 19, 2014 9:18 PM, "Tom Lane" <t...@sss.pgh.pa.us> wrote: > > Magnus Hagander <mag...@hagander.net> writes: > > On Sun, Oct 19, 2014 at 6:17 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > >> And in the end, if we set values like this from PG --- whether > >> hard-wired or via a GUC --- the SSL library people will have exactly > >> the same perspective with regards to *our* values. And not without > >> reason; we were forcing very obsolete settings up till recently, > >> because nobody had looked at the issue for a decade. I see no reason > >> to expect that that history won't repeat itself. > > > The best part would be if we could just leave it up to the SSL > > library, but at least the openssl one doesn't have an API that lets us > > do that, right? We *have* to pick something... > > As far as protocol version goes, I think our existing coding basically > says "prefer newest available version, but at least TLS 1.0". I think > that's probably a reasonable approach. >
Yes, it does that. Though it only does it on 9.4,but with the facts we know now, what 9.4+ does is perfectly safe. /Magnus
