On 29.06.18 03:37, Michael Paquier wrote:
> The set of APIs that we use to the SSL abstraction layer is very
> internal, so it would not be an issue if we add some in stable branches,
> no? My point is that from OpenSSL point of view, TLS 1.3 stuff has been
> added in 1.1.1 which is now in beta 6 stage, so we could consider as
> well all this part once OpenSSL is released. That's compatibility work
> I wanted to work on anyway. Impossible to say down to which versions of
> Postgres things could be applied easily though without a deep
> investigation of the new compatibility breakages that upstream OpenSSL
> has very-likely introduced in upstream.
One thing we should look into is that OpenSSL maintains separate cipher
lists for TLS <=1.2 and TLS 1.3. So the current ssl_ciphers GUC only
affects TLS <=1.2 connections. We would probably need to add a separate
setting for TLS 1.3.
Here is the relevant man page:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
This isn't critical, since most people probably run well with the
defaults, but someone once wanted the ssl_ciphers GUC, so they'll
eventually want one for TLS 1.3 as well.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services