First of all, thank you all for working on this feature.
On Wed, Sep 25, 2024 at 10:51:05AM +0200, Peter Eisentraut wrote:
> On 18.09.24 22:48, Jacob Champion wrote:
>> > +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers
>> > +#ssl_cipher_suites = '' # allowed TLSv1.3 cipher suites, blank for default
>> After marinating on this a bit... I think the naming may result in
>> some "who's on first" miscommunications in forums and on the list. "I
>> set the SSL ciphers to <whatever>, but it says there are no valid
>> ciphers available!" Should we put TLS 1.3 into the new GUC name
>> somehow?
>
> Yeah, I think just
>
> ssl_ciphers =
> ssl_ciphers_tlsv13 =
>
> would be clear enough. Just using "ciphers" vs. "cipher suites" would not
> be.
Sorry for chiming in so late here, but I was a little surprised to see the
TLS version in the GUC name. ISTM this would require us to create a new
GUC for every new TLS version, or explain that ssl_tls13_ciphers isn't just
for 1.3. Perhaps neither of those things are too terrible, but I felt it
was worth bringing up.
--
nathan
