Re: Add support to TLS 1.3 cipher suites and curves lists
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Peter Eisentraut <peter@eisentraut.org>,
Erica Zhang <ericazhangy2021@qq.com>,
Andres Freund <andres@anarazel.de>,
Jelte Fennema-Nio <postgres@jeltef.nl>,
pgsql-hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-10-15T10:41:20Z
Lists: pgsql-hackers
Attachments
- v8-0004-Support-configuring-TLSv1.3-cipher-suites.patch (application/octet-stream) patch v8-0004
- v8-0003-Support-configuring-multiple-ECDH-curves.patch (application/octet-stream) patch v8-0003
- v8-0002-Raise-the-minimum-supported-OpenSSL-version-to-1..patch (application/octet-stream) patch v8-0002
- v8-0001-Handle-alphanumeric-characters-in-matching-GUC-na.patch (application/octet-stream) patch v8-0001
- (unnamed) (text/plain)
> On 3 Oct 2024, at 01:20, Jacob Champion <jacob.champion@enterprisedb.com> wrote:
>
> On Wed, Oct 2, 2024 at 11:33 AM Daniel Gustafsson <daniel@yesql.se> wrote:
>>> If I migrate a server to a different machine that doesn't support my
>>> groups, I don't know that this would give me enough information to fix
>>> the configuration.
>>
>> Fair point, how about something along the lines of:
>>
>> + errmsg("ECDH: failed to set curve names specified in ssl_groups: %s",
>> + SSLerrmessageExt(ERR_get_error(),
>> + _("No valid groups found"))),
>
> Yeah, I think that's enough of a pointer. And then maybe "Failed to
> set group names specified in ssl_groups: %s" to get rid of the
> lingering ECC references?
>
>>> One nice side effect of the new ssl_groups implementation is that we
>>> now support common group aliases. For example, "P-256", "prime256v1",
>>> and "secp256r1" can all be specified now, whereas before ony
>>> "prime256v1" worked because of how we looked up curves. Is that worth
>>> a note in the docs?
>>
>> Maybe. We have this currently in the manual:
>>
>> "The full list of available curves can be shown with the command
>> <command>openssl ecparam -list_curves</command>. Not all of them are
>> usable with <acronym>TLS</acronym> though."
>>
>> Perhaps we can extend that with a short not on aliases? Got any suggested
>> wordings for that if so?
>
> Hm, well, I went down a rabbit hole this afternoon -- OpenSSL has an
> open feature request [1] that might eventually document this the right
> way. In the meantime, maybe something like...
>
> An incomplete list of available groups can be shown with the
> command openssl ecparam -list_curves. Not all of them are usable with
> TLS though, and many supported group names and aliases are omitted.
>
> In PostgreSQL versions before 18.0 this setting was named
> ssl_ecdh_curve. It only accepted a single value and did not recognize
> group aliases at all.
Attached is a v8 which address the above two raised points, as well as adds a
small note about LibreSSL in the docs as discussed in the retire-1.1.0-thread.
--
Daniel Gustafsson
Commits
-
Handle alphanumeric characters in matching GUC names
- f81855171f95 18.0 landed
-
Only perform pg_strong_random init when required
- c3333dbc0c0f 18.0 cited