Re: Add support to TLS 1.3 cipher suites and curves lists

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>, Daniel Gustafsson <daniel@yesql.se>
Cc: Erica Zhang <ericazhangy2021@qq.com>, Andres Freund <andres@anarazel.de>, Jelte Fennema-Nio <postgres@jeltef.nl>, pgsql-hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-09-25T08:51:05Z
Lists: pgsql-hackers
On 18.09.24 22:48, Jacob Champion wrote:
>> +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'  # allowed TLSv1.2 ciphers
>> +#ssl_cipher_suites = ''    # allowed TLSv1.3 cipher suites, blank for default
> After marinating on this a bit... I think the naming may result in
> some "who's on first" miscommunications in forums and on the list. "I
> set the SSL ciphers to <whatever>, but it says there are no valid
> ciphers available!" Should we put TLS 1.3 into the new GUC name
> somehow?

Yeah, I think just

ssl_ciphers =
ssl_ciphers_tlsv13 =

would be clear enough.  Just using "ciphers" vs. "cipher suites" would 
not be.




Commits

  1. Handle alphanumeric characters in matching GUC names

  2. Only perform pg_strong_random init when required