Re: Add support to TLS 1.3 cipher suites and curves lists

On 12/11/24 10:14 AM, Daniel Gustafsson wrote: On 11 Dec 2024, at 18:47, Tom Lane wrote: Oh yay, another naming problem :-(. I think that neither "ciphers" vs. "cipher suites" nor "ssl_ciphers" vs. "ssl_ciphers_tlsv13" is going to convey a lot to the average person who's not steeped in TLS m

Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, Dec 11, 2024 at 12:47:01PM -0500, Tom Lane wrote: > Jacob Champion writes: >> On Wed, Dec 11, 2024 at 9:11 AM Nathan Bossart >> wrote: >>> Sorry for chiming in so late here, but I was a little surprised to see the >>> TLS version in the GUC name. ISTM this would require us to create a n

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 11 Dec 2024, at 18:47, Tom Lane wrote: > Oh yay, another naming problem :-(. I think that neither "ciphers" > vs. "cipher suites" nor "ssl_ciphers" vs. "ssl_ciphers_tlsv13" is > going to convey a lot to the average person who's not steeped in > TLS minutiae. However, following the preceden

Re: Add support to TLS 1.3 cipher suites and curves lists

Jacob Champion writes: > On Wed, Dec 11, 2024 at 9:11 AM Nathan Bossart > wrote: >> Sorry for chiming in so late here, but I was a little surprised to see the >> TLS version in the GUC name. ISTM this would require us to create a new >> GUC for every new TLS version, or explain that ssl_tls13_c

Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, Dec 11, 2024 at 9:11 AM Nathan Bossart wrote: > Sorry for chiming in so late here, but I was a little surprised to see the > TLS version in the GUC name. ISTM this would require us to create a new > GUC for every new TLS version, or explain that ssl_tls13_ciphers isn't just > for 1.3. I

Re: Add support to TLS 1.3 cipher suites and curves lists

First of all, thank you all for working on this feature. On Wed, Sep 25, 2024 at 10:51:05AM +0200, Peter Eisentraut wrote: > On 18.09.24 22:48, Jacob Champion wrote: >> > +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers >> > +#ssl_cipher_suites = ''# allowed TLSv1.3 cipher

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 16 Oct 2024, at 17:30, Jacob Champion > wrote: > Other than that, LGTM! Thanks for all the review work, I went ahead and pushed this patchseries today after a little bit more polishing of comments and docs. So far plover has failed which was expected due to the raised OpenSSL/LibreSSL req

Re: Add support to TLS 1.3 cipher suites and curves lists

On Tue, Oct 15, 2024 at 3:42 AM Daniel Gustafsson wrote: > Thanks! I think the v8 posted todays is about ready to go in and unless there > are objections I'll go ahead with it shortly. This new paragraph is missing a close-paren: > + > + Additionally, LibreSSL is supported >

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 14 Oct 2024, at 15:08, Peter Eisentraut wrote: > > On 26.09.24 11:01, Daniel Gustafsson wrote: >> Attached is a v7 which address a test failure in the CI. It turns out that >> the >> test_misc module gather GUC names using the :alpha: character class which >> only >> allows alphabetic whe

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 3 Oct 2024, at 01:20, Jacob Champion > wrote: > > On Wed, Oct 2, 2024 at 11:33 AM Daniel Gustafsson wrote: >>> If I migrate a server to a different machine that doesn't support my >>> groups, I don't know that this would give me enough information to fix >>> the configuration. >> >> Fair

Re: Add support to TLS 1.3 cipher suites and curves lists

On 26.09.24 11:01, Daniel Gustafsson wrote: Attached is a v7 which address a test failure in the CI. It turns out that the test_misc module gather GUC names using the :alpha: character class which only allows alphabetic whereas GUC names can have digits in them. The 0001 patch fixes this by ins

Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, Oct 2, 2024 at 11:33 AM Daniel Gustafsson wrote: > > If I migrate a server to a different machine that doesn't support my > > groups, I don't know that this would give me enough information to fix > > the configuration. > > Fair point, how about something along the lines of: > > + er

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 2 Oct 2024, at 19:16, Jacob Champion > wrote: > > On Wed, Sep 25, 2024 at 6:39 AM Daniel Gustafsson wrote: >> I can't recall specific bounds for supporting LibreSSL even being discussed, >> the support is also not documented as an official thing. Requiring TLS 1.3 >> APIs for supporting a

Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, Sep 25, 2024 at 6:39 AM Daniel Gustafsson wrote: > I can't recall specific bounds for supporting LibreSSL even being discussed, > the support is also not documented as an official thing. Requiring TLS 1.3 > APIs for supporting a library in 2025 (when 18 ships) doesn't seem entirely > unre

Re: Add support to TLS 1.3 cipher suites and curves lists

Attached is a v7 which address a test failure in the CI. It turns out that the test_misc module gather GUC names using the :alpha: character class which only allows alphabetic whereas GUC names can have digits in them. The 0001 patch fixes this by instead using the :alnum: character class which a

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 18 Sep 2024, at 22:48, Jacob Champion > wrote: > On Mon, Sep 9, 2024 at 5:00 AM Daniel Gustafsson wrote: >> The attached version also has a new 0001 which bumps the minimum required >> OpenSSL version to 1.1.1 (from 1.1.0) since this patchset requires API's only >> present in 1.1.1 and onw

Re: Add support to TLS 1.3 cipher suites and curves lists

On 18.09.24 22:48, Jacob Champion wrote: +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers +#ssl_cipher_suites = ''# allowed TLSv1.3 cipher suites, blank for default After marinating on this a bit... I think the naming may result in some "who's on first" miscommunications

Re: Add support to TLS 1.3 cipher suites and curves lists

On Mon, Sep 9, 2024 at 5:00 AM Daniel Gustafsson wrote: > Good catch. OpenSSL 3.2 changed the error message to be a lot more helpful, > before that there is no error added to the queue at all for this processing > (hence the "no SSL error reported"). The attached adds a hint as well as a > prope

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 22 Jul 2024, at 19:14, Jacob Champion > wrote: > > On Fri, Jul 12, 2024 at 1:03 PM Daniel Gustafsson wrote: >> The original author added the string parsing in order to provide a good error >> message in case of an error in the list, and since that seemed like a nice >> idea >> I kept in m

Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, Jul 3, 2024 at 9:20 AM Daniel Gustafsson wrote: > It's essentially just polish and adding comments with the functional > changes that a) it parses the entire list of curves so all errors can be > reported instead of giving up at the first error; b) leaving the cipher suite > GUC blank will

Re: Add support to TLS 1.3 cipher suites and curves lists

On Fri, Jul 12, 2024 at 1:03 PM Daniel Gustafsson wrote: > The original author added the string parsing in order to provide a good error > message in case of an error in the list, and since that seemed like a nice > idea > I kept in my review revision. With what you said above I agree it's not w

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 11 Jul 2024, at 23:16, Peter Eisentraut wrote: > It would be worth checking the discussion at > > about strtok()/strtok_r() issues. First, for list parsing, it sometimes > gives the wrong sem

Re: Add support to TLS 1.3 cipher suites and curves lists

On 03.07.24 17:20, Daniel Gustafsson wrote: After fiddling a bit with the code and documentation I came up with the attached version which also makes the testsuite use the list syntax in order to test it. It's essentially just polish and adding comments with the functional changes that a) it par

Re: Add support to TLS 1.3 cipher suites and curves lists

I had a look at this patchset today and I think I've come around to the idea of having a separate GUC for cipher suites. I don't have strong opinions on renaming ssl_ecdh_curve to reflect that it can take a list of multiple values, there is merit to having descriptive names but it would also be an

Re: Add support to TLS 1.3 cipher suites and curves lists

Hi, This thread was referenced by https://www.postgresql.org/message-id/48F0A1F8-E0B4-41F8-990F-41E6BA2A6185%40yesql.se On 2024-06-13 14:34:27 +0800, Erica Zhang wrote: > diff --git a/src/backend/libpq/be-secure-openssl.c > b/src/backend/libpq/be-secure-openssl.c > index 39b1a66236..d097e81407

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 13 Jun 2024, at 09:07, Erica Zhang wrote: > How can I achieve the value for TLS1.3? Do you mean I can set the > Ciphersuites in openssl.conf, then Postgres will pick up and use this value > accordingly? Yes, you should be able to restrict the ciphersuites for TLSv1.3 with openssl.conf on

Re:Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists

ica Zhang"< ericazhangy2...@qq.com >; Cc recipient:"Michael Paquier"< mich...@paquier.xyz >;"Peter Eisentraut"< pe...@eisentraut.org >;"pgsql-hackers"< pgsql-hackers@lists.postgresql.org >; Subject:Re: Re: Re: Add support to TLS 1.3 ci

Re: Add support to TLS 1.3 cipher suites and curves lists

On 12.06.24 10:51, Jelte Fennema-Nio wrote: On Mon, 10 Jun 2024 at 12:31, Daniel Gustafsson wrote: Regarding the ciphersuites portion of the patch. I'm not particularly thrilled about having a GUC for TLSv1.2 ciphers and one for TLSv1.3 ciphersuites, users not all that familiar with TLS will l

Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, 12 Jun 2024 at 04:32, Erica Zhang wrote: > There are certain government, financial and other enterprise organizations > that have very strict requirements about the encrypted communication and more > specifically about fine grained params like the TLS ciphers and curves that > they use.

Re: Add support to TLS 1.3 cipher suites and curves lists

On Mon, 10 Jun 2024 at 12:31, Daniel Gustafsson wrote: > Regarding the ciphersuites portion of the patch. I'm not particularly > thrilled > about having a GUC for TLSv1.2 ciphers and one for TLSv1.3 ciphersuites, users > not all that familiar with TLS will likely find it confusing to figure out

Re:Re: Re: Add support to TLS 1.3 cipher suites and curves lists

Email Sender:"Michael Paquier"< mich...@paquier.xyz >; Sent Time:2024/6/7 18:46 To:"Erica Zhang"< ericazhangy2...@qq.com >; Cc recipient:"Peter Eisentraut"< pe...@eisentraut.org >;"pgsql-hackers"< pgsql-hackers@lists.postgresql.org &

Re: Add support to TLS 1.3 cipher suites and curves lists

> On 7 Jun 2024, at 19:14, Jacob Champion > wrote: > - Could you separate the two features into two patches? That would > make it easier for reviewers. (They can still share the same thread > and CF entry.) +1, please do. > - The "curve" APIs have been renamed "group" in newer OpenSSLs for a >

Re: Re: Add support to TLS 1.3 cipher suites and curves lists

On Fri, Jun 7, 2024 at 3:02 AM Erica Zhang wrote: > > For some security consideration, we prefer to use TLS1.3 cipher suites in our > product with some customization values instead of default value > "HIGH:MEDIUM:+3DES:!aNULL". Moreover we prefer to set a group of ecdh keys > instead of a singl

Re: Re: Add support to TLS 1.3 cipher suites and curves lists

On Fri, Jun 07, 2024 at 06:02:37PM +0800, Erica Zhang wrote: > I see the https://commitfest.postgresql.org/48/ is still open, could > it be possible to target for PG17? As I know PG17 is going to be > release this year so that we can upgrade our instances to this new > version accodingly. Echoing

Re: Add support to TLS 1.3 cipher suites and curves lists

On 07.06.24 08:10, Erica Zhang wrote: I’m a Postgres user and I’m looking into restricting the set of allowed ciphers on Postgres and configure a concrete set of curves on our postgres instances. Out of curiosity, why is this needed in practice? Could you please help to review to see if you a