> On 17 Jun 2024, at 19:56, Andres Freund wrote:
> On 2024-06-17 19:51:45 +0200, Daniel Gustafsson wrote:
>> Changing the default of the ecdh GUC would perhaps be doable?
>
> I was wondering whether we could change the default so that it accepts both
> x25519 and secp256r1. Unfortunately that se
Hi,
On 2024-06-17 19:51:45 +0200, Daniel Gustafsson wrote:
> > On 17 Jun 2024, at 19:44, Andres Freund wrote:
>
> >> Let's bring that to Erica's patch for allowing a list of curves.
> >
> > I'm kinda wondering if we ought to do something about this in the
> > backbranches. Forcing unnecessary r
> On 17 Jun 2024, at 19:44, Andres Freund wrote:
>> Let's bring that to Erica's patch for allowing a list of curves.
>
> I'm kinda wondering if we ought to do something about this in the
> backbranches. Forcing unnecessary roundtrips onto everyone for the next five
> years due to an oversight on
Hi,
On 2024-06-17 19:29:47 +0200, Daniel Gustafsson wrote:
> >> I wonder if that made OpenSSL override the min protocol version and switch
> >> to a TLS1.3 ClientHello since it otherwise couldn't announce the curve.
> >
> > The client seems to announce the curve in the initial ClientHello even wit
> On 17 Jun 2024, at 19:01, Andres Freund wrote:
> On 2024-06-17 12:00:30 +0200, Daniel Gustafsson wrote:
>>> On 17 Jun 2024, at 01:46, Andres Freund wrote:
>>> I don't know if it's good that we're calling SSL_CTX_set_tmp_ecdh at all,
>>
>> To set the specified curve in ssl_ecdh_curve we have t
On Mon, Jun 17, 2024 at 10:01 AM Andres Freund wrote:
> On 2024-06-17 12:00:30 +0200, Daniel Gustafsson wrote:
> > To set the specified curve in ssl_ecdh_curve we have to don't we?
>
> Sure, but it's not obvious to me why we actually want to override openssl's
> defaults here. There's not even a p
Hi,
On 2024-06-17 12:00:30 +0200, Daniel Gustafsson wrote:
> > On 17 Jun 2024, at 01:46, Andres Freund wrote:
>
> > When connecting with a libpq based client, the TLS establishment ends up
> > like
> > this in many configurations;
> >
> > C->S: TLSv1 393 Client Hello
> > S->C: TLSv1.3 167 Hello
> On 17 Jun 2024, at 01:46, Andres Freund wrote:
> When connecting with a libpq based client, the TLS establishment ends up like
> this in many configurations;
>
> C->S: TLSv1 393 Client Hello
> S->C: TLSv1.3 167 Hello Retry Request, Change Cipher Spec
> C->S: TLSv1.3 432 Change Cipher Spec, Cli
Hi,
When connecting with a libpq based client, the TLS establishment ends up like
this in many configurations;
C->S: TLSv1 393 Client Hello
S->C: TLSv1.3 167 Hello Retry Request, Change Cipher Spec
C->S: TLSv1.3 432 Change Cipher Spec, Client Hello
S->C: TLSv1.3 1407 Server Hello, Application Dat
