Re:Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists

Поиск
Список
Период
Сортировка
От Erica Zhang
Тема Re:Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists
Дата
Msg-id tencent_BBAD7851FF8298828987798D6838E72C0F05@qq.com
обсуждение исходный текст
Ответ на Add support to TLS 1.3 cipher suites and curves lists  ("Erica Zhang" <ericazhangy2021@qq.com>)
Ответы Re: Add support to TLS 1.3 cipher suites and curves lists
Список pgsql-hackers
Дерево обсуждения

Hi Jelte and Daniel,

Based on my understanding currently there is no setting that controls the cipher choices used by TLS version 1.3 connections but the default value(HIGH:MEDIUM:+3DES:!aNULL) is used. So if I want to connect to Postgres (eg. Postgres 14) with different TLS versions of customized ciphers instead of default one like below:

eg. 

TLS1.2 of ciphers 

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA

TLS1.3 of ciphers
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

For TLS1.2 connection, we can set the configuration in postgresql.conf as:
ssl_ciphers = '
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA'

How can I achieve the value for TLS1.3? Do you mean I can set the Ciphersuites in openssl.conf, then Postgres will pick up and use this value accordingly?

eg. I can run below command to set ciphersuites of TLS1.3 on my appliance:
openssl ciphers -ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

then Postgres will use 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" as ciphers for TLS1.3 connection?

Thanks,
Erica Zhang



Original Email
Sender:"Jelte Fennema-Nio"< postgres@jeltef.nl >;
Sent Time:2024/6/12 16:51
To:"Erica Zhang"< ericazhangy2021@qq.com >;
Cc recipient:"Michael Paquier"< michael@paquier.xyz >;"Peter Eisentraut"< peter@eisentraut.org >;"pgsql-hackers"< pgsql-hackers@lists.postgresql.org >;
Subject:Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists

On Wed, 12 Jun 2024 at 04:32, Erica Zhang  wrote:
> There are certain government, financial and other enterprise organizations that have very strict requirements about the encrypted communication and more specifically about fine grained params like the TLS ciphers and curves that they use. The default ones for those customers are not acceptable. Any products that integrate Postgres and requires encrypted communication with the Postgres would have to fulfil those requirements.

Yeah, I ran into such requirements before too. So I do think it makes
sense to have such a feature in Postgres.

> So if we can have this patch in the upcoming new major version, that means Postgres users who have similar requirements can upgrade to PG17.

As Daniel mentioned you can already achieve the same using the
"Ciphersuites" directive in openssl.conf. Also you could of course
always disable TLSv1.3 support.

		
	


	

					

					





	

	            	В списке pgsql-hackers по дате отправления:
	
	

	
	

		
			

	        	

	       			Предыдущее
	    		

	    		
	От:
	Dilip Kumar

	Дата:
	



	Сообщение:
	Re: Logical Replication of sequences
 

	    	

	    
	    
	    
			

	        	

	       			Следующее
	    		

	    		
	От:
	

	Дата:
	



	Сообщение:
	RE: Doc: fix a description regarding WAL summarizer on glossary page