Re: Add support to TLS 1.3 cipher suites and curves lists - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: Add support to TLS 1.3 cipher suites and curves lists
Date
Msg-id 4F40C22B-4150-4F6C-9057-80A688E44B64@yesql.se
Whole thread Raw
In response to Re:Re: Add support to TLS 1.3 cipher suites and curves lists  ("Erica Zhang" <ericazhangy2021@qq.com>)
Responses Re: Add support to TLS 1.3 cipher suites and curves lists
Re: Add support to TLS 1.3 cipher suites and curves lists
List pgsql-hackers
I had a look at this patchset today and I think I've come around to the idea of
having a separate GUC for cipher suites.  I don't have strong opinions on
renaming ssl_ecdh_curve to reflect that it can take a list of multiple values,
there is merit to having descriptive names but it would also be an invasive
change for adding suffix 's'.

After fiddling a bit with the code and documentation I came up with the
attached version which also makes the testsuite use the list syntax in order to
test it.  It's essentially just polish and adding comments with the functional
changes that a) it parses the entire list of curves so all errors can be
reported instead of giving up at the first error; b) leaving the cipher suite
GUC blank will set the suites to the OpenSSL default vale.

This patch requires OpenSSL 1.1.1 as the minimum version, which in my view is
fine.  Removing support for older OpenSSL versions is being discussed already
and this makes a good case for requiring 1.1.1.  It does however mean that this
patch cannot be commmitted until that has been done though.  I have yet to test
this with LibreSSL.

As was suggested in a related thread I think we should change the default value
of the ECDH curves parameter, but that's for another patch.

--
Daniel Gustafsson


Attachment

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Incorrect Assert in BufFileSize()?
Next
From: "Andrey M. Borodin"
Date:
Subject: Re: Commitfest manager for July 2024