| From: | Seraphime Kirkovski <skirkovski(at)vmware(dot)com> |
|---|---|
| To: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Fine-tune TLS 1.3 cipher suites and curves lists |
| Date: | 2023-07-17 13:16:02 |
| Message-ID: | CO1PR05MB8313FB0BAAC1C99F4C4AE339AF2CA@CO1PR05MB8313.namprd05.prod.outlook.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi all,
I’m a security engineer and I’m looking into restricting the set of allowed ciphers on Postgres and configure a concrete set of curves on our postgres instances.
I see in the source code that only TLS 1.2 and bellow cipher lists can be configured:
https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L281
and Postgres relies on the OpenSSL defaults for TLS 1.3 ciphersuites.
My first question is whether there is a reason not to support setting TLS 1.3 cipher suites through configuration ? Maybe there are Postgres builds with BoringSSL ? (Just speculating ?)
Another thing I was curious about is why does postgres opts to support setting only a single elliptic group (https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L1303) instead of calling out to an SSL function like SSL_CTX_set1_curves_list ?
Would the community be interested in seeing patches for setting TLS 1.3 ciphersuites and expanding the configuration option for EC settings to support lists instead of single values ?
Thanks,
Seraphime Kirkovski
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashutosh Bapat | 2023-07-17 13:49:42 | Re: logicalrep_message_type throws an error |
| Previous Message | Zhang Mingli | 2023-07-17 13:11:22 | Re: ObjectIdGetDatum() missing from SearchSysCache*() callers |