| From: | Erica Zhang <ericazhangy2021(at)qq(dot)com> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Add support to TLS 1.3 cipher suites and curves lists |
| Date: | 2024-06-07 06:10:57 |
| Message-ID: | tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi All,
I’m a Postgres user and I’m looking into restricting the set of allowed ciphers on Postgres and configure a concrete set of curves on our postgres instances.
I see in current Postgres doc mentioned that only TLS1.2 and below cipher lists can be configured. And there is no setting that controls the cipher choices used by TLS1.3.
As for ECDH keys currently postgres opts to support setting only a single elliptic group instead of setting a lists.
As described in below doc link:
https://www.postgresql.org/docs/devel/runtime-config-connection.html
Now I have a patch to support settings for TLS1.3 ciphersuites and expanding the configuration option for EC settings. With my patch we can do:
1. Added a new configuration option ssl_ciphers_suites to control the cipher choices used by TLS 1.3. 2. Extend the existing configuration option ssl_ecdh_curve to accept a list of curve names seperated by colon.
Could you please help to review to see if you are interested in having this change in upcoming Postgres major release(It's should be PG17)?
Thanks in advance.
| Attachment | Content-Type | Size |
|---|---|---|
| patch_support_tls1.3_curvelist.diff | application/octet-stream | 4.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashutosh Sharma | 2024-06-07 06:23:14 | Re: How about using dirty snapshots to locate dependent objects? |
| Previous Message | Thomas Munro | 2024-06-07 06:06:14 | Re: Assert in heapgettup_pagemode() fails due to underlying buffer change |