Hi all, I’m a security engineer and I’m looking into restricting the set of allowed ciphers on Postgres and configure a concrete set of curves on our postgres instances.
I see in the source code that only TLS 1.2 and bellow cipher lists can be configured: https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L281 and Postgres relies on the OpenSSL defaults for TLS 1.3 ciphersuites. My first question is whether there is a reason not to support setting TLS 1.3 cipher suites through configuration ? Maybe there are Postgres builds with BoringSSL ? (Just speculating ?) Another thing I was curious about is why does postgres opts to support setting only a single elliptic group (https://github.com/postgres/postgres/blob/master/src/backend/libpq/be-secure-openssl.c#L1303) instead of calling out to an SSL function like SSL_CTX_set1_curves_list ? Would the community be interested in seeing patches for setting TLS 1.3 ciphersuites and expanding the configuration option for EC settings to support lists instead of single values ? Thanks, Seraphime Kirkovski