Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-145117

TLS1.3 ciphers cannot be configured

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.7
    • postgresql
    • None
    • None
    • Important
    • rhel-databases
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      This is somehow a continuation of RHEL-144930.
      postgresql.conf has a ssl_ciphers property to configure ciphers, but it internally ends up calling OpenSSL's SSL_CTX_set_cipher_list() function which is for TLS1.2 and lower only, not TLS1.3.
      TLS1.3 ciphers are configured through callin OpenSSL's SSL_CTX_set_ciphersuites() instead.
      Due to this, it's impossible to configure TLS1.3 ciphers for the service, it's only possible to do so through using ssl_ciphers = 'PROFILE=SYSTEM' but this then uses the system-wide policy, which is not always suitable..

      What is the impact of this issue to you?

      Can't restrict TLS1.3 ciphers without affecting the system-wide policy.

      Please provide the package NVR for which the bug is seen:

      postgresql-server-13.23-1.el9_7
      and all the streams.

      How reproducible is this bug?

      N/A

              fjanus@redhat.com Filip Janus
              rhn-support-rmetrich Renaud Métrich
              Filip Janus Filip Janus
              Vaclav Danek Vaclav Danek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: