Re: Add support to TLS 1.3 cipher suites and curves lists

On 12/11/24 10:14 AM, Daniel Gustafsson wrote:
>> On 11 Dec 2024, at 18:47, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
>> Oh yay, another naming problem :-(. I think that neither "ciphers"
>> vs. "cipher suites" nor "ssl_ciphers" vs. "ssl_ciphers_tlsv13" is
>> going to convey a lot to the average person who's not steeped in
>> TLS minutiae. However, following the precedent of Apache and Curl
>> seems like a good answer --- that will ensure that at least some
>> part of the internet-using world has seen this before. So I guess
>> I'm +0.5 for the ssl_ciphers_tlsv13 answer, at least out of the
>> choices suggested so far.
>
> The subset of users who are likely to be interested in this setting would
> probably be more confused if we didn't follow the precedent from other
> well-known projects.

+1 to this point. The people I talk to who are interested in the
`cipher_suites` setting, are also the folks who are actually paying
attention to when and how ciphers/ciphersuites are used, and have strong
opinions on such. It also seems that OpenSSL is pushing in the direction
of making everything a "ciphersuite", albeit the -ciphersuites flag is
just for TLS v1.3+[1].

I think the `ssl_cipher_suites` proposal is fine; OK with bikeshedding
to `ssl_ciphersuites`.

Thanks,

Jonathan

[1] https://docs.openssl.org/3.3/man1/openssl-ciphers/#options