On 12.06.24 10:51, Jelte Fennema-Nio wrote:
> On Mon, 10 Jun 2024 at 12:31, Daniel Gustafsson <daniel@yesql.se> wrote:
>> Regarding the ciphersuites portion of the patch. I'm not particularly thrilled
>> about having a GUC for TLSv1.2 ciphers and one for TLSv1.3 ciphersuites, users
>> not all that familiar with TLS will likely find it confusing to figure out what
>> to do.
>
> I don't think it's easy to create a single GUC because OpenSSL has
> different APIs for both. So we'd have to add some custom parsing for
> the combined string, which is likely to cause some problems imho. I
> think separating them is the best option from the options we have and
> I don't think it matters much practice for users. Users not familiar
> with TLS might indeed be confused, but those users shouldn't touch
> these settings anyway, and just use the defaults. The users that care
> about this probably already get two cipher strings from their
> compliance teams, because many other applications also have two
> separate options for specifying both.
Maybe some comparisons with other SSL-enabled server products would be
useful.
Here is the Apache httpd setting:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
They use a complex syntax to be able to set both via one setting.
Here is the nginx setting:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
This doesn't appear to support TLS 1.3?