diff options
| author | Daniel Gustafsson | 2024-10-24 13:20:32 +0000 |
|---|---|---|
| committer | Daniel Gustafsson | 2024-10-24 13:20:32 +0000 |
| commit | 45188c2ea2391b7b24039e1632c726e2fc6b8008 (patch) | |
| tree | e85052c98e0775dd4932789e0fe603909a36bccf /doc/src | |
| parent | 3d1ef3a15c3eb68dae44b94e89d04c422b26fc16 (diff) | |
Support configuring TLSv1.3 cipher suites
The ssl_ciphers GUC can only set cipher suites for TLSv1.2, and lower,
connections. For TLSv1.3 connections a different OpenSSL API must be
used. This adds a new GUC, ssl_tls13_ciphers, which can be used to
configure a colon separated list of cipher suites to support when
performing a TLSv1.3 handshake.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang <[email protected]>
Author: Daniel Gustafsson <[email protected]>
Reviewed-by: Jacob Champion <[email protected]>
Reviewed-by: Andres Freund <[email protected]>
Reviewed-by: Peter Eisentraut <[email protected]>
Reviewed-by: Jelte Fennema-Nio <[email protected]>
Discussion: https://postgr.es/m/[email protected]
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index f8d862a6ce4..dc401087dc6 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1340,6 +1340,28 @@ include_dir 'conf.d' </listitem> </varlistentry> + <varlistentry id="guc-ssl-tls13-ciphers" xreflabel="ssl_tls13_ciphers"> + <term><varname>ssl_tls13_ciphers</varname> (<type>string</type>) + <indexterm> + <primary><varname>ssl_tls13_ciphers</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + Specifies a list of cipher suites that are allowed by connections using + <acronym>TLS</acronym> version 1.3. Multiple cipher suites can be + specified by using a colon separated list. If left blank, the default + set of cipher suites in <productname>OpenSSL</productname> will be used. + </para> + + <para> + This parameter can only be set in the + <filename>postgresql.conf</filename> file or on the server command + line. + </para> + </listitem> + </varlistentry> + <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers"> <term><varname>ssl_ciphers</varname> (<type>string</type>) <indexterm> @@ -1348,15 +1370,13 @@ include_dir 'conf.d' </term> <listitem> <para> - Specifies a list of <acronym>SSL</acronym> cipher suites that are - allowed to be used by SSL connections. See the - <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> + Specifies a list of <acronym>SSL</acronym> ciphers that are allowed by + connections using TLS version 1.2 and lower, see + <xref linkend="guc-ssl-tls13-ciphers"/> for TLS version 1.3 connections. See + the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page in the <productname>OpenSSL</productname> package for the - syntax of this setting and a list of supported values. Only - connections using TLS version 1.2 and lower are affected. There is - currently no setting that controls the cipher choices used by TLS - version 1.3 connections. The default value is - <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a + syntax of this setting and a list of supported values. The default value + is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a reasonable choice unless you have specific security requirements. </para> |