Re: Add support to TLS 1.3 cipher suites and curves lists
| От | Peter Eisentraut |
|---|---|
| Тема | Re: Add support to TLS 1.3 cipher suites and curves lists |
| Дата | |
| Msg-id | 2fd52846-66ff-4faa-9f89-19628a8a6122@eisentraut.org обсуждение исходный текст |
| Ответ на | Re: Add support to TLS 1.3 cipher suites and curves lists (Jelte Fennema-Nio <postgres@jeltef.nl>) |
| Список | pgsql-hackers |
On 12.06.24 10:51, Jelte Fennema-Nio wrote: > On Mon, 10 Jun 2024 at 12:31, Daniel Gustafsson <daniel@yesql.se> wrote: >> Regarding the ciphersuites portion of the patch. I'm not particularly thrilled >> about having a GUC for TLSv1.2 ciphers and one for TLSv1.3 ciphersuites, users >> not all that familiar with TLS will likely find it confusing to figure out what >> to do. > > I don't think it's easy to create a single GUC because OpenSSL has > different APIs for both. So we'd have to add some custom parsing for > the combined string, which is likely to cause some problems imho. I > think separating them is the best option from the options we have and > I don't think it matters much practice for users. Users not familiar > with TLS might indeed be confused, but those users shouldn't touch > these settings anyway, and just use the defaults. The users that care > about this probably already get two cipher strings from their > compliance teams, because many other applications also have two > separate options for specifying both. Maybe some comparisons with other SSL-enabled server products would be useful. Here is the Apache httpd setting: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite They use a complex syntax to be able to set both via one setting. Here is the nginx setting: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers This doesn't appear to support TLS 1.3?
В списке pgsql-hackers по дате отправления: