Hi all,
I’m a security engineer and I’m looking into restricting the set of allowed ciphers on Postgres and configure a concrete set of curves on our postgres instances.
I see in the source code that only TLS 1.2 and bellow cipher lists can be configured:
https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L281
and Postgres relies on the OpenSSL defaults for TLS 1.3 ciphersuites.
My first question is whether there is a reason not to support setting TLS 1.3 cipher suites through configuration ? Maybe there are Postgres builds with BoringSSL ? (Just speculating ?)
Another thing I was curious about is why does postgres opts to support setting only a single elliptic group (https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L1303) instead of calling out to an SSL function like SSL_CTX_set1_curves_list ?
Would the community be interested in seeing patches for setting TLS 1.3 ciphersuites and expanding the configuration option for EC settings to support lists instead of single values ?
Thanks,
Seraphime Kirkovski