I had a look at this patchset today and I think I've come around to the idea of having a separate GUC for cipher suites. I don't have strong opinions on renaming ssl_ecdh_curve to reflect that it can take a list of multiple values, there is merit to having descriptive names but it would also be an invasive change for adding suffix 's'.
After fiddling a bit with the code and documentation I came up with the attached version which also makes the testsuite use the list syntax in order to test it. It's essentially just polish and adding comments with the functional changes that a) it parses the entire list of curves so all errors can be reported instead of giving up at the first error; b) leaving the cipher suite GUC blank will set the suites to the OpenSSL default vale. This patch requires OpenSSL 1.1.1 as the minimum version, which in my view is fine. Removing support for older OpenSSL versions is being discussed already and this makes a good case for requiring 1.1.1. It does however mean that this patch cannot be commmitted until that has been done though. I have yet to test this with LibreSSL. As was suggested in a related thread I think we should change the default value of the ECDH curves parameter, but that's for another patch. -- Daniel Gustafsson
v3-0001-Support-multiple-ECDH-curves.patch
Description: Binary data
v3-0002-Support-TLSv1.3-cipher-suites.patch
Description: Binary data
