Re: Add support to TLS 1.3 cipher suites and curves lists

Tue, 15 Oct 2024 03:41:49 -0700 

> On 3 Oct 2024, at 01:20, Jacob Champion <jacob.champ...@enterprisedb.com> 
> wrote:
> 
> On Wed, Oct 2, 2024 at 11:33 AM Daniel Gustafsson <dan...@yesql.se> wrote:
>>> If I migrate a server to a different machine that doesn't support my
>>> groups, I don't know that this would give me enough information to fix
>>> the configuration.
>> 
>> Fair point, how about something along the lines of:
>> 
>> +       errmsg("ECDH: failed to set curve names specified in ssl_groups: %s",
>> +               SSLerrmessageExt(ERR_get_error(),
>> +                                _("No valid groups found"))),
> 
> Yeah, I think that's enough of a pointer. And then maybe "Failed to
> set group names specified in ssl_groups: %s" to get rid of the
> lingering ECC references?
> 
>>> One nice side effect of the new ssl_groups implementation is that we
>>> now support common group aliases. For example, "P-256", "prime256v1",
>>> and "secp256r1" can all be specified now, whereas before ony
>>> "prime256v1" worked because of how we looked up curves. Is that worth
>>> a note in the docs?
>> 
>> Maybe. We have this currently in the manual:
>> 
>>    "The full list of available curves can be shown with the command
>>    <command>openssl ecparam -list_curves</command>.  Not all of them are
>>    usable with <acronym>TLS</acronym> though."
>> 
>> Perhaps we can extend that with a short not on aliases?  Got any suggested
>> wordings for that if so?
> 
> Hm, well, I went down a rabbit hole this afternoon -- OpenSSL has an
> open feature request [1] that might eventually document this the right
> way. In the meantime, maybe something like...
> 
>    An incomplete list of available groups can be shown with the
> command openssl ecparam -list_curves. Not all of them are usable with
> TLS though, and many supported group names and aliases are omitted.
> 
>    In PostgreSQL versions before 18.0 this setting was named
> ssl_ecdh_curve. It only accepted a single value and did not recognize
> group aliases at all.

Attached is a v8 which address the above two raised points, as well as adds a
small note about LibreSSL in the docs as discussed in the retire-1.1.0-thread.

--
Daniel Gustafsson

Attachment: v8-0004-Support-configuring-TLSv1.3-cipher-suites.patch
Description: Binary data

Attachment: v8-0003-Support-configuring-multiple-ECDH-curves.patch
Description: Binary data

Attachment: v8-0002-Raise-the-minimum-supported-OpenSSL-version-to-1..patch
Description: Binary data

Attachment: v8-0001-Handle-alphanumeric-characters-in-matching-GUC-na.patch
Description: Binary data






















					Reply via email to