From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
---|---|
To: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz> |
Subject: | TLS 1.3 and OpenSSL |
Date: | 2018-06-29 20:47:00 |
Message-ID: | 06fef5f1-8220-7f6d-7ec4-318d69f77c1a@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-www |
On 29.06.18 03:37, Michael Paquier wrote:
> The set of APIs that we use to the SSL abstraction layer is very
> internal, so it would not be an issue if we add some in stable branches,
> no? My point is that from OpenSSL point of view, TLS 1.3 stuff has been
> added in 1.1.1 which is now in beta 6 stage, so we could consider as
> well all this part once OpenSSL is released. That's compatibility work
> I wanted to work on anyway. Impossible to say down to which versions of
> Postgres things could be applied easily though without a deep
> investigation of the new compatibility breakages that upstream OpenSSL
> has very-likely introduced in upstream.
One thing we should look into is that OpenSSL maintains separate cipher
lists for TLS <=1.2 and TLS 1.3. So the current ssl_ciphers GUC only
affects TLS <=1.2 connections. We would probably need to add a separate
setting for TLS 1.3.
Here is the relevant man page:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
This isn't critical, since most people probably run well with the
defaults, but someone once wanted the ssl_ciphers GUC, so they'll
eventually want one for TLS 1.3 as well.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Gavin Flower | 2018-06-29 21:19:13 | Re: POC: GROUP BY optimization |
Previous Message | Peter Eisentraut | 2018-06-29 20:42:36 | Re: SCRAM with channel binding downgrade attack |
From | Date | Subject | |
---|---|---|---|
Next Message | Brad DeJong | 2018-06-30 18:11:05 | Re: Postgres 11 release notes |
Previous Message | Peter Eisentraut | 2018-06-29 20:42:36 | Re: SCRAM with channel binding downgrade attack |