Fine-tune TLS 1.3 cipher suites and curves lists

Hi all,

I’m a security engineer and I’m looking into restricting the set of allowed ciphers on Postgres and configure a concrete set of curves on our postgres instances.

I see in the source code that only TLS 1.2 and bellow cipher lists can be configured:

https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L281

and Postgres relies on the OpenSSL defaults for TLS 1.3 ciphersuites.

My first question is whether there is a reason not to support setting TLS 1.3 cipher suites through configuration ? Maybe there are Postgres builds with BoringSSL ? (Just speculating ?)

Another thing I was curious about is why does postgres opts to support setting only a single elliptic group (https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L1303) instead of calling out to an SSL function like SSL_CTX_set1_curves_list ?

Would the community be interested in seeing patches for setting TLS 1.3 ciphersuites and expanding the configuration option for EC settings to support lists instead of single values ? 

Thanks,

Seraphime Kirkovski