Re: ecdh support causes unnecessary roundtrips

Andres Freund <andres@anarazel.de>

From: Andres Freund <andres@anarazel.de>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2024-06-17T17:44:22Z
Lists: pgsql-hackers
Hi,

On 2024-06-17 19:29:47 +0200, Daniel Gustafsson wrote:
> >> I wonder if that made OpenSSL override the min protocol version and switch
> >> to a TLS1.3 ClientHello since it otherwise couldn't announce the curve.
> >
> > The client seems to announce the curve in the initial ClientHello even with
> > 1.3 as the minimum version.
>
> With 1.3 it should announce it in ClientHello, do you mean that it's announced
> when 1.2 is the minimum version as well?  It does make sense since a 1.2 server
> is defined to disregard all extensions.

Yes, it's announced even when 1.2 is the minimum:

            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
                Type: supported_versions (43)
                Length: 5
                Supported Versions length: 4
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
...
            Extension: key_share (len=38) x25519
                Type: key_share (51)
                Length: 38
                Key Share extension



> Let's bring that to Erica's patch for allowing a list of curves.

I'm kinda wondering if we ought to do something about this in the
backbranches. Forcing unnecessary roundtrips onto everyone for the next five
years due to an oversight on our part isn't great.  Once you're not local, the
roundtrip does measurably increase the "time to first query".

Greetings,

Andres Freund



Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange