public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jacob Champion <[email protected]>
To: Erica Zhang <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: pgsql-hackers <[email protected]>
Subject: Re: Re: Add support to TLS 1.3 cipher suites and curves lists
Date: Fri, 7 Jun 2024 10:14:50 -0700
Message-ID: <CAOYmi+k2qaJio+JkfKC2J+Shx8Fym-ifERhFLCR6mz7UXKxLVw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
On Fri, Jun 7, 2024 at 3:02 AM Erica Zhang <[email protected]> wrote:
>
> For some security consideration, we prefer to use TLS1.3 cipher suites in our product with some customization values instead of default value "HIGH:MEDIUM:+3DES:!aNULL". Moreover we prefer to set a group of ecdh keys instead of a single value.
+1 for the curve list feature, at least. No opinions on the 1.3
ciphersuites half, yet.
I've added this patch to my planned review for the v18 cycle. Some
initial notes:
- Could you separate the two features into two patches? That would
make it easier for reviewers. (They can still share the same thread
and CF entry.)
- The "curve" APIs have been renamed "group" in newer OpenSSLs for a
while now, and we should probably use those if possible.
- I think parsing apart the groups list to check NIDs manually could
lead to false negatives. From a docs skim, 3.0 allows providers to add
their own group names, and 3.3 now supports question marks in the
string to allow graceful fallbacks.
- I originally thought it'd be better to just stop calling
SSL_set_tmp_ecdh() entirely by default, so we could use OpenSSL's
builtin list of groups. But that may have denial-of-service concerns
[1]?
- We should maybe look into SSL_CTX_config(), if we haven't discussed
that already on the list, but that's probably a bigger tangent and
doesn't need to be part of this patch.
Thanks,
--Jacob
[1] https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/index.html
view thread (4+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Re: Add support to TLS 1.3 cipher suites and curves lists
In-Reply-To: <CAOYmi+k2qaJio+JkfKC2J+Shx8Fym-ifERhFLCR6mz7UXKxLVw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox