On Mon, 10 Jun 2024 at 12:31, Daniel Gustafsson <dan...@yesql.se> wrote: > Regarding the ciphersuites portion of the patch. I'm not particularly > thrilled > about having a GUC for TLSv1.2 ciphers and one for TLSv1.3 ciphersuites, users > not all that familiar with TLS will likely find it confusing to figure out > what > to do.
I don't think it's easy to create a single GUC because OpenSSL has different APIs for both. So we'd have to add some custom parsing for the combined string, which is likely to cause some problems imho. I think separating them is the best option from the options we have and I don't think it matters much practice for users. Users not familiar with TLS might indeed be confused, but those users shouldn't touch these settings anyway, and just use the defaults. The users that care about this probably already get two cipher strings from their compliance teams, because many other applications also have two separate options for specifying both.