On 29.06.18 03:37, Michael Paquier wrote: > The set of APIs that we use to the SSL abstraction layer is very > internal, so it would not be an issue if we add some in stable branches, > no? My point is that from OpenSSL point of view, TLS 1.3 stuff has been > added in 1.1.1 which is now in beta 6 stage, so we could consider as > well all this part once OpenSSL is released. That's compatibility work > I wanted to work on anyway. Impossible to say down to which versions of > Postgres things could be applied easily though without a deep > investigation of the new compatibility breakages that upstream OpenSSL > has very-likely introduced in upstream.
One thing we should look into is that OpenSSL maintains separate cipher lists for TLS <=1.2 and TLS 1.3. So the current ssl_ciphers GUC only affects TLS <=1.2 connections. We would probably need to add a separate setting for TLS 1.3. Here is the relevant man page: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html This isn't critical, since most people probably run well with the defaults, but someone once wanted the ssl_ciphers GUC, so they'll eventually want one for TLS 1.3 as well. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
