Re: Add support to TLS 1.3 cipher suites and curves lists - Mailing list pgsql-hackers

From Peter Eisentraut
Subject Re: Add support to TLS 1.3 cipher suites and curves lists
Date
Msg-id f339166b-8ab5-4bd6-96ae-d4acf4c3751c@eisentraut.org
Whole thread Raw
In response to Re: Add support to TLS 1.3 cipher suites and curves lists  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Add support to TLS 1.3 cipher suites and curves lists
List pgsql-hackers
On 03.07.24 17:20, Daniel Gustafsson wrote:
> After fiddling a bit with the code and documentation I came up with the
> attached version which also makes the testsuite use the list syntax in order to
> test it.  It's essentially just polish and adding comments with the functional
> changes that a) it parses the entire list of curves so all errors can be
> reported instead of giving up at the first error; b) leaving the cipher suite
> GUC blank will set the suites to the OpenSSL default vale.

It would be worth checking the discussion at 
<https://www.postgresql.org/message-id/flat/79692bf9-17d3-41e6-b9c9-fc8c3944222a@eisentraut.org> 
about strtok()/strtok_r() issues.  First, for list parsing, it sometimes 
gives the wrong semantics, which I think might apply here.  Maybe it's 
worth comparing this with the semantics that OpenSSL provides natively. 
And second, strtok_r() is not available on Windows without the 
workaround provided in that thread.

I'm doubtful that it's worth replicating all this list parsing logic 
instead of just letting OpenSSL do it.  This is a very marginal feature 
after all.




pgsql-hackers by date:

Previous
From: Tatsuo Ishii
Date:
Subject: Re: CFbot failed on Windows platform
Next
From: Peter Eisentraut
Date:
Subject: Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?