I had a look at this patchset today and I think I've come around to the idea of
having a separate GUC for cipher suites. I don't have strong opinions on
renaming ssl_ecdh_curve to reflect that it can take a list of multiple values,
there is merit to having descriptive names but it would also be an invasive
change for adding suffix 's'.
After fiddling a bit with the code and documentation I came up with the
attached version which also makes the testsuite use the list syntax in order to
test it. It's essentially just polish and adding comments with the functional
changes that a) it parses the entire list of curves so all errors can be
reported instead of giving up at the first error; b) leaving the cipher suite
GUC blank will set the suites to the OpenSSL default vale.
This patch requires OpenSSL 1.1.1 as the minimum version, which in my view is
fine. Removing support for older OpenSSL versions is being discussed already
and this makes a good case for requiring 1.1.1. It does however mean that this
patch cannot be commmitted until that has been done though. I have yet to test
this with LibreSSL.
As was suggested in a related thread I think we should change the default value
of the ECDH curves parameter, but that's for another patch.
--
Daniel Gustafsson
