Re:Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists

Thu, 13 Jun 2024 00:08:20 -0700 

Hi Jelte and Daniel,


Based on my understanding currently there is no setting that controls the 
cipher choices used by TLS version 1.3 connections but the default 
value(HIGH:MEDIUM:+3DES:!aNULL) is used. So if I want to connect to Postgres 
(eg. Postgres 14) with different TLS versions of customized ciphers instead of 
default one like below:


eg. 

TLS1.2 of ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA

TLS1.3 of ciphers
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

For TLS1.2 connection, we can set the configuration in postgresql.conf as:
ssl_ciphers = 
'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA'
How can I achieve the value for TLS1.3? Do you mean I can set the Ciphersuites 
in openssl.conf, then Postgres will pick up and use this value accordingly?

eg. I can run below command to set ciphersuites of TLS1.3 on my appliance:
openssl ciphers -ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

then Postgres will use 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" as 
ciphers for TLS1.3 connection?
Thanks,
Erica Zhang






                       
Original Email
                       
                     

Sender:"Jelte Fennema-Nio"< [email protected] &gt;;

Sent Time:2024/6/12 16:51

To:"Erica Zhang"< [email protected] &gt;;

Cc recipient:"Michael Paquier"< [email protected] &gt;;"Peter Eisentraut"< 
[email protected] &gt;;"pgsql-hackers"< [email protected] 
&gt;;

Subject:Re: Re: Re: Add support to TLS 1.3 cipher suites and curves lists


On Wed, 12 Jun 2024 at 04:32, Erica Zhang  wrote:
&gt; There are certain government, financial and other enterprise organizations 
that have very strict requirements about the encrypted communication and more 
specifically about fine grained params like the TLS ciphers and curves that 
they use. The default ones for those customers are not acceptable. Any products 
that integrate Postgres and requires encrypted communication with the Postgres 
would have to fulfil those requirements.

Yeah, I ran into such requirements before too. So I do think it makes
sense to have such a feature in Postgres.

&gt; So if we can have this patch in the upcoming new major version, that means 
Postgres users who have similar requirements can upgrade to PG17.

As Daniel mentioned you can already achieve the same using the
"Ciphersuites" directive in openssl.conf. Also you could of course
always disable TLSv1.3 support.

Reply via email to