Re: ecdh support causes unnecessary roundtrips
Andres Freund <andres@anarazel.de>
From: Andres Freund <andres@anarazel.de>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2024-06-17T17:44:22Z
Lists: pgsql-hackers
Hi,
On 2024-06-17 19:29:47 +0200, Daniel Gustafsson wrote:
> >> I wonder if that made OpenSSL override the min protocol version and switch
> >> to a TLS1.3 ClientHello since it otherwise couldn't announce the curve.
> >
> > The client seems to announce the curve in the initial ClientHello even with
> > 1.3 as the minimum version.
>
> With 1.3 it should announce it in ClientHello, do you mean that it's announced
> when 1.2 is the minimum version as well? It does make sense since a 1.2 server
> is defined to disregard all extensions.
Yes, it's announced even when 1.2 is the minimum:
Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
Type: supported_versions (43)
Length: 5
Supported Versions length: 4
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
...
Extension: key_share (len=38) x25519
Type: key_share (51)
Length: 38
Key Share extension
> Let's bring that to Erica's patch for allowing a list of curves.
I'm kinda wondering if we ought to do something about this in the
backbranches. Forcing unnecessary roundtrips onto everyone for the next five
years due to an oversight on our part isn't great. Once you're not local, the
roundtrip does measurably increase the "time to first query".
Greetings,
Andres Freund
Commits
-
doc: Add note to ssl_group config on X25519 and FIPS
- db93988ab0e7 19 (unreleased) landed
-
Avoid using the X25519 curve in ssl tests
- 07e90c691358 19 (unreleased) landed
-
Add X25519 to the default set of curves
- daa02c6bd926 18.0 landed
-
SSL: Support ECDH key exchange
- 3164721462d5 9.4.0 cited