| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
| Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Erica Zhang <ericazhangy2021(at)qq(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Add support to TLS 1.3 cipher suites and curves lists |
| Date: | 2024-10-15 10:41:20 |
| Message-ID: | CB6F881E-327D-4D31-AB46-713616985FAC@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 3 Oct 2024, at 01:20, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> wrote:
>
> On Wed, Oct 2, 2024 at 11:33 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>>> If I migrate a server to a different machine that doesn't support my
>>> groups, I don't know that this would give me enough information to fix
>>> the configuration.
>>
>> Fair point, how about something along the lines of:
>>
>> + errmsg("ECDH: failed to set curve names specified in ssl_groups: %s",
>> + SSLerrmessageExt(ERR_get_error(),
>> + _("No valid groups found"))),
>
> Yeah, I think that's enough of a pointer. And then maybe "Failed to
> set group names specified in ssl_groups: %s" to get rid of the
> lingering ECC references?
>
>>> One nice side effect of the new ssl_groups implementation is that we
>>> now support common group aliases. For example, "P-256", "prime256v1",
>>> and "secp256r1" can all be specified now, whereas before ony
>>> "prime256v1" worked because of how we looked up curves. Is that worth
>>> a note in the docs?
>>
>> Maybe. We have this currently in the manual:
>>
>> "The full list of available curves can be shown with the command
>> <command>openssl ecparam -list_curves</command>. Not all of them are
>> usable with <acronym>TLS</acronym> though."
>>
>> Perhaps we can extend that with a short not on aliases? Got any suggested
>> wordings for that if so?
>
> Hm, well, I went down a rabbit hole this afternoon -- OpenSSL has an
> open feature request [1] that might eventually document this the right
> way. In the meantime, maybe something like...
>
> An incomplete list of available groups can be shown with the
> command openssl ecparam -list_curves. Not all of them are usable with
> TLS though, and many supported group names and aliases are omitted.
>
> In PostgreSQL versions before 18.0 this setting was named
> ssl_ecdh_curve. It only accepted a single value and did not recognize
> group aliases at all.
Attached is a v8 which address the above two raised points, as well as adds a
small note about LibreSSL in the docs as discussed in the retire-1.1.0-thread.
--
Daniel Gustafsson
| Attachment | Content-Type | Size |
|---|---|---|
| v8-0004-Support-configuring-TLSv1.3-cipher-suites.patch | application/octet-stream | 8.5 KB |
| v8-0003-Support-configuring-multiple-ECDH-curves.patch | application/octet-stream | 9.9 KB |
| v8-0002-Raise-the-minimum-supported-OpenSSL-version-to-1..patch | application/octet-stream | 9.4 KB |
| v8-0001-Handle-alphanumeric-characters-in-matching-GUC-na.patch | application/octet-stream | 1.3 KB |
| unknown_filename | text/plain | 1 byte |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2024-10-15 10:42:39 | Re: Add support to TLS 1.3 cipher suites and curves lists |
| Previous Message | Alvaro Herrera | 2024-10-15 10:08:01 | Re: simplify regular expression locale global variables |