Postgres Pro
Downloads
Home   >   mailing lists

Re: ecdh support causes unnecessary roundtrips - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: ecdh support causes unnecessary roundtrips
Date
Msg-id 6287D2CC-FC9B-4D29-90C7-B7127BD80908@yesql.se
Whole thread Raw
In response to Re: ecdh support causes unnecessary roundtrips  (Andres Freund <andres@anarazel.de>)
Responses Re: ecdh support causes unnecessary roundtrips
List pgsql-hackers
Tree view 
> On 17 Jun 2024, at 19:01, Andres Freund <andres@anarazel.de> wrote:
> On 2024-06-17 12:00:30 +0200, Daniel Gustafsson wrote:
>>> On 17 Jun 2024, at 01:46, Andres Freund <andres@anarazel.de> wrote:

>>> I don't know if it's good that we're calling SSL_CTX_set_tmp_ecdh at all,
>>
>> To set the specified curve in ssl_ecdh_curve we have to don't we?
>
> Sure, but it's not obvious to me why we actually want to override openssl's
> defaults here. There's not even a parameter to opt out of forcing a specific
> choice on the server side.

I agree that the GUC is a bit rough around the edges, maybe leavint it blank or
something should be defined as "OpenSSL defaults".  Let's bring that to Erica's
patch for allowing a list of curves.

>>> I did confirm that doing the same thing on the client side removes the
>>> additional roundtrip.
>>
>> The roundtrip went away because the client was set to use secp256r1?
>
> Yes. Or if I change the server to not set the ecdh curve.

Configuring the server to use x25519 instead of secp256r1 should achieve the
same thing.

>> I wonder if that made OpenSSL override the min protocol version and switch
>> to a TLS1.3 ClientHello since it otherwise couldn't announce the curve.
>
> The client seems to announce the curve in the initial ClientHello even with
> 1.3 as the minimum version.

With 1.3 it should announce it in ClientHello, do you mean that it's announced
when 1.2 is the minimum version as well?  It does make sense since a 1.2 server
is defined to disregard all extensions.

> What *does* make the HRR go away is setting ssl_max_protocol_version=TLSv1.2
> on the client side.

Makes sense, that would remove the curve and there is no change required.

> https://wiki.openssl.org/index.php/TLS1.3 says:
>
>> In practice most clients will use X25519 or P-256 for their initial
>> key_share. For maximum performance it is recommended that servers are
>> configured to support at least those two groups and clients use one of those
>> two for its initial key_share. This is the default case (OpenSSL clients
>> will use X25519).
>
> We're not allowing both groups and the client defaults to X25519, hence
> the HRR.

So this would be solved by the curve-list patch referenced above, especially if
allow it to have an opt-out to use OpenSSL defaults.

--
Daniel Gustafsson

pgsql-hackers by date:

Previous
From: Jacob Champion
Date:
Subject: Re: ecdh support causes unnecessary roundtrips
Next
From: Andres Freund
Date:
Subject: tls 1.3: sending multiple tickets