| From: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Erica Zhang <ericazhangy2021(at)qq(dot)com>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Add support to TLS 1.3 cipher suites and curves lists |
| Date: | 2024-06-12 08:51:05 |
| Message-ID: | CAGECzQSnC66fJCrzyD16Ec7dg5nwxn6KGdEh-yB=V=W8FfBqSg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 10 Jun 2024 at 12:31, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> Regarding the ciphersuites portion of the patch. I'm not particularly thrilled
> about having a GUC for TLSv1.2 ciphers and one for TLSv1.3 ciphersuites, users
> not all that familiar with TLS will likely find it confusing to figure out what
> to do.
I don't think it's easy to create a single GUC because OpenSSL has
different APIs for both. So we'd have to add some custom parsing for
the combined string, which is likely to cause some problems imho. I
think separating them is the best option from the options we have and
I don't think it matters much practice for users. Users not familiar
with TLS might indeed be confused, but those users shouldn't touch
these settings anyway, and just use the defaults. The users that care
about this probably already get two cipher strings from their
compliance teams, because many other applications also have two
separate options for specifying both.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jelte Fennema-Nio | 2024-06-12 08:51:45 | Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists |
| Previous Message | Kartyshov Ivan | 2024-06-12 08:36:05 | Re: [HACKERS] make async slave to wait for lsn to be replayed |