Re: Add support to TLS 1.3 cipher suites and curves lists

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Erica Zhang <ericazhangy2021(at)qq(dot)com>
Cc: Andres Freund <andres(at)anarazel(dot)de>, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Add support to TLS 1.3 cipher suites and curves lists
Date: 2024-07-03 16:20:21
Message-ID: 4F40C22B-4150-4F6C-9057-80A688E44B64@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

I had a look at this patchset today and I think I've come around to the idea of
having a separate GUC for cipher suites. I don't have strong opinions on
renaming ssl_ecdh_curve to reflect that it can take a list of multiple values,
there is merit to having descriptive names but it would also be an invasive
change for adding suffix 's'.

After fiddling a bit with the code and documentation I came up with the
attached version which also makes the testsuite use the list syntax in order to
test it. It's essentially just polish and adding comments with the functional
changes that a) it parses the entire list of curves so all errors can be
reported instead of giving up at the first error; b) leaving the cipher suite
GUC blank will set the suites to the OpenSSL default vale.

This patch requires OpenSSL 1.1.1 as the minimum version, which in my view is
fine. Removing support for older OpenSSL versions is being discussed already
and this makes a good case for requiring 1.1.1. It does however mean that this
patch cannot be commmitted until that has been done though. I have yet to test
this with LibreSSL.

As was suggested in a related thread I think we should change the default value
of the ECDH curves parameter, but that's for another patch.

--
Daniel Gustafsson

Attachment Content-Type Size
v3-0001-Support-multiple-ECDH-curves.patch application/octet-stream 4.2 KB
v3-0002-Support-TLSv1.3-cipher-suites.patch application/octet-stream 7.8 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrey M. Borodin 2024-07-03 16:51:23 Re: Commitfest manager for July 2024
Previous Message Tom Lane 2024-07-03 16:19:18 Re: Incorrect Assert in BufFileSize()?