Unable to connect to secure cluster using PHP 7.2 with OpenSSL/1.0.2o

Version Info
|PostgreSQL(libpq) Version|9.2.4|
|Module version|7.2.6|

It appears that PHP by default might be connecting using a lower version of TLS (< 1.2). but I don’t know why. We are using the newest version of PHP and PGSQL driver, but we keep getting the dreaded “Unhandled Exception: SQLSTATE[08006] [7] SSL error: tlsv1 alert protocol version” error message.

curl can connect to TLSv1.2 no problem but it appears the pgsql driver won’t.

While it is not as secure, is there a way to create TLS v1 certs so we can at least connect to a somewhat secure cluster (rather than insecure)? Thank you!

Unfortunately the TLS version is not influenced by the certificates.

I’m surprised php’s pgsql does not support TLS 1.2. As far as I know, it uses libpq (the C library) for the postgres connection. Making sure that libpq is at a recent version should do the trick. This in turn will probably require a reasonably recent version of openssl as well.

The restriction comes from our server code which specifically prohibits versions lower than TLS 1.2. You could rebuild cockroach from source after changing this line to tls.VersionTLS11 (you can see the details for the tls.Config datastructure in the go TLS docs). We do not intend to provide a flag to override this as TLS1.1 is getting seriously old. We may provide a flag to force the minimum version to TLS1.3 once that’s more widely supported.

According to this message, libpq gained support newer versions of TLS in version 9.4 (which was released in 2014), so it looks like you need to upgrade your version of libpq.

Thanks Marc! I know this is probably a stupid question, but will there ever be a feature to allow “non-ssl” traffic but with user/password authentication? so basically like doing basic authentication of http. yeah yeah I know not secure but at least some form of security would help. :slight_smile: Thanks for the prompt response (on a Sunday even!)

Thanks Ben! I’m looking into how to obtain a later version of libpq. The PHP we’re using is from XAMPP (ApacheFriends) with PHP 7.2. I;ll ask them when they will update libpq in their package as well. :slight_smile: