diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2025-03-18 15:26:27 +0100 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2025-03-18 15:26:27 +0100 |
| commit | daa02c6bd9262adeb44f4a9ed9d94fa6259afd94 (patch) | |
| tree | 8ea66172e793587a84eb8619fd2ad82595daddc8 /src | |
| parent | 4fd02bf7cf94c3b6807dcf0b13e076de94f1e4ff (diff) | |
| download | postgresql-daa02c6bd9262adeb44f4a9ed9d94fa6259afd94.tar.gz postgresql-daa02c6bd9262adeb44f4a9ed9d94fa6259afd94.zip | |
Add X25519 to the default set of curves
Since many clients default to the X25519 curve in the TLS handshake,
the fact that the server by defualt doesn't support it cause an extra
roundtrip for each TLS connection. By adding multiple curves, which
is supported since 3d1ef3a15c3eb68da, we can reduce the risk of extra
roundtrips.
Author: Daniel Gustafsson <daniel@yesql.se>
Co-authored-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reported-by: Andres Freund <andres@anarazel.de>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Discussion: https://postgr.es/m/20240616234612.6cslu7nqexquvwj7@awork3.anarazel.de
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/utils/misc/guc_tables.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 2 | ||||
| -rw-r--r-- | src/test/ssl/t/SSL/Server.pm | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index 0d3ebf06a95..4984d12606c 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -4768,7 +4768,7 @@ struct config_string ConfigureNamesString[] = }, &SSLECDHCurve, #ifdef USE_SSL - "prime256v1", + "X25519:prime256v1", #else "none", #endif diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 8ac2beb177b..db44fa563b5 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -114,7 +114,7 @@ #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers #ssl_tls13_ciphers = '' # allowed TLSv1.3 cipher suites, blank for default #ssl_prefer_server_ciphers = on -#ssl_groups = 'prime256v1' +#ssl_groups = 'X25519:prime256v1' #ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index 447469d8937..14277418419 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -301,7 +301,7 @@ sub switch_server_cert $node->append_conf('sslconfig.conf', "ssl=on"); $node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params)); # use lists of ECDH curves and cipher suites for syntax testing - $node->append_conf('sslconfig.conf', 'ssl_groups=prime256v1:secp521r1'); + $node->append_conf('sslconfig.conf', 'ssl_groups=X25519:prime256v1:secp521r1'); $node->append_conf('sslconfig.conf', 'ssl_tls13_ciphers=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'); |