diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:28 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:28 +0200 |
| commit | 3d1ef3a15c3eb68dae44b94e89d04c422b26fc16 (patch) | |
| tree | a710673741765cd033447a36f5e06005fa3fdc38 /doc/src | |
| parent | 6c66b7443cebf3ff09ea76416a20fb6bb1d32a52 (diff) | |
| download | postgresql-3d1ef3a15c3eb68dae44b94e89d04c422b26fc16.tar.gz postgresql-3d1ef3a15c3eb68dae44b94e89d04c422b26fc16.zip | |
Support configuring multiple ECDH curves
The ssl_ecdh_curve GUC only accepts a single value, but the TLS
handshake can list multiple curves in the groups extension (the
extension has been renamed to contain more than elliptic curves).
This changes the GUC to accept a colon-separated list of curves.
This commit also renames the GUC to ssl_groups to match the new
nomenclature for the TLS extension.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang <ericazhangy2021@qq.com>
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Andres Freund <andres@anarazel.de>
Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 934ef5e4691..f8d862a6ce4 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1452,20 +1452,20 @@ include_dir 'conf.d' </listitem> </varlistentry> - <varlistentry id="guc-ssl-ecdh-curve" xreflabel="ssl_ecdh_curve"> - <term><varname>ssl_ecdh_curve</varname> (<type>string</type>) + <varlistentry id="guc-ssl-groups" xreflabel="ssl_groups"> + <term><varname>ssl_groups</varname> (<type>string</type>) <indexterm> - <primary><varname>ssl_ecdh_curve</varname> configuration parameter</primary> + <primary><varname>ssl_groups</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Specifies the name of the curve to use in <acronym>ECDH</acronym> key exchange. It needs to be supported by all clients that connect. + Multiple curves can be specified by using a colon-separated list. It does not need to be the same curve used by the server's Elliptic - Curve key. - This parameter can only be set in the <filename>postgresql.conf</filename> - file or on the server command line. + Curve key. This parameter can only be set in the + <filename>postgresql.conf</filename> file or on the server command line. The default is <literal>prime256v1</literal>. </para> @@ -1475,9 +1475,16 @@ include_dir 'conf.d' <literal>prime256v1</literal> (NIST P-256), <literal>secp384r1</literal> (NIST P-384), <literal>secp521r1</literal> (NIST P-521). - The full list of available curves can be shown with the command - <command>openssl ecparam -list_curves</command>. Not all of them - are usable in <acronym>TLS</acronym> though. + An incomplete list of available groups can be shown with the command + <command>openssl ecparam -list_curves</command>. Not all of them are + usable with <acronym>TLS</acronym> though, and many supported group + names and aliases are omitted. + </para> + + <para> + In <productname>PostgreSQL</productname> versions before 18.0 this + setting was named <literal>ssl_ecdh_curve</literal> and only accepted + a single value. </para> </listitem> </varlistentry> |