From daa02c6bd9262adeb44f4a9ed9d94fa6259afd94 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 18 Mar 2025 15:26:27 +0100 Subject: Add X25519 to the default set of curves Since many clients default to the X25519 curve in the TLS handshake, the fact that the server by defualt doesn't support it cause an extra roundtrip for each TLS connection. By adding multiple curves, which is supported since 3d1ef3a15c3eb68da, we can reduce the risk of extra roundtrips. Author: Daniel Gustafsson Co-authored-by: Jacob Champion Reported-by: Andres Freund Reviewed-by: Jacob Champion Discussion: https://postgr.es/m/20240616234612.6cslu7nqexquvwj7@awork3.anarazel.de --- src/backend/utils/misc/guc_tables.c | 2 +- src/backend/utils/misc/postgresql.conf.sample | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src/backend') diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index 0d3ebf06a95..4984d12606c 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -4768,7 +4768,7 @@ struct config_string ConfigureNamesString[] = }, &SSLECDHCurve, #ifdef USE_SSL - "prime256v1", + "X25519:prime256v1", #else "none", #endif diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 8ac2beb177b..db44fa563b5 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -114,7 +114,7 @@ #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed TLSv1.2 ciphers #ssl_tls13_ciphers = '' # allowed TLSv1.3 cipher suites, blank for default #ssl_prefer_server_ciphers = on -#ssl_groups = 'prime256v1' +#ssl_groups = 'X25519:prime256v1' #ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' -- cgit v1.2.3