Re: Add support to TLS 1.3 cipher suites and curves lists

Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> writes:
> On Wed, Dec 11, 2024 at 9:11 AM Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
>> Sorry for chiming in so late here, but I was a little surprised to see the
>> TLS version in the GUC name. ISTM this would require us to create a new
>> GUC for every new TLS version, or explain that ssl_tls13_ciphers isn't just
>> for 1.3.

> I agree it's not ideal. But part of the problem IMO is that we might
> actually _have_ to introduce a new GUC for a future TLS 1.4, because
> we have no idea if the ciphersuites will change incompatibly again. (I
> hope not, but they did it once and they could do it again.)
> If 1.4, or 2.0, or... 4? [1] comes out later, and it turns out to be
> compatible, we could probably add a more appropriate alias then. (For
> now, just as some additional data points, both Apache and Curl use
> "1.3" or "13" in the configuration as a differentiator.) Do you have a
> different naming scheme in mind?

Oh yay, another naming problem :-(. I think that neither "ciphers"
vs. "cipher suites" nor "ssl_ciphers" vs. "ssl_ciphers_tlsv13" is
going to convey a lot to the average person who's not steeped in
TLS minutiae. However, following the precedent of Apache and Curl
seems like a good answer --- that will ensure that at least some
part of the internet-using world has seen this before. So I guess
I'm +0.5 for the ssl_ciphers_tlsv13 answer, at least out of the
choices suggested so far.

regards, tom lane