diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:28 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:28 +0200 |
| commit | 3d1ef3a15c3eb68dae44b94e89d04c422b26fc16 (patch) | |
| tree | a710673741765cd033447a36f5e06005fa3fdc38 /src/backend/utils/misc | |
| parent | 6c66b7443cebf3ff09ea76416a20fb6bb1d32a52 (diff) | |
| download | postgresql-3d1ef3a15c3eb68dae44b94e89d04c422b26fc16.tar.gz postgresql-3d1ef3a15c3eb68dae44b94e89d04c422b26fc16.zip | |
Support configuring multiple ECDH curves
The ssl_ecdh_curve GUC only accepts a single value, but the TLS
handshake can list multiple curves in the groups extension (the
extension has been renamed to contain more than elliptic curves).
This changes the GUC to accept a colon-separated list of curves.
This commit also renames the GUC to ssl_groups to match the new
nomenclature for the TLS extension.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang <ericazhangy2021@qq.com>
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Andres Freund <andres@anarazel.de>
Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
Diffstat (limited to 'src/backend/utils/misc')
| -rw-r--r-- | src/backend/utils/misc/guc.c | 1 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc_tables.c | 6 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 2 |
3 files changed, 5 insertions, 4 deletions
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 507a5d329a3..90e91225b4e 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -190,6 +190,7 @@ static const unit_conversion time_unit_conversion_table[] = static const char *const map_old_guc_names[] = { "sort_mem", "work_mem", "vacuum_mem", "maintenance_work_mem", + "ssl_ecdh_curve", "ssl_groups", NULL }; diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index 2c4cc8cd41b..859e6658e77 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -4656,9 +4656,9 @@ struct config_string ConfigureNamesString[] = }, { - {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL, - gettext_noop("Sets the curve to use for ECDH."), - NULL, + {"ssl_groups", PGC_SIGHUP, CONN_AUTH_SSL, + gettext_noop("Sets the group(s) to use for Diffie-Hellman key exchange."), + gettext_noop("Multiple groups can be specified using colon-separated list."), GUC_SUPERUSER_ONLY }, &SSLECDHCurve, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 667e0dc40a2..204eab5f1a7 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -112,7 +112,7 @@ #ssl_key_file = 'server.key' #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on -#ssl_ecdh_curve = 'prime256v1' +#ssl_groups = 'prime256v1' #ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' |