0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch

application/octet-stream

Filename: 0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch
Type: application/octet-stream
Part: 0
Message: [PATCH] Clarify that ssl_groups is for any key exchange groups

Patch

Format: format-patch
Series: patch 0001
Subject: Clarify that ssl_groups is for any key exchange groups
File+
doc/src/sgml/config.sgml 6 6
src/backend/libpq/be-secure-openssl.c 6 6
src/backend/utils/misc/guc_parameters.dat 1 1
From b75f295de12246794e769509fde43e3f6d89052c Mon Sep 17 00:00:00 2001
From: Evan Si <evsi@amazon.com>
Date: Mon, 1 Jun 2026 18:13:35 +0000
Subject: [PATCH] Clarify that ssl_groups is for any key exchange groups

The current wording seems to suggest that the parameter is only meant for DH.
This introduces minor wording tweaks across comments, short_desc, and the docs to
reflect that it accepts any group.
---
 doc/src/sgml/config.sgml                  | 12 ++++++------
 src/backend/libpq/be-secure-openssl.c     | 12 ++++++------
 src/backend/utils/misc/guc_parameters.dat |  2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index cebae4b6d1b..8a94ecd6221 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1573,11 +1573,11 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the curve to use in <acronym>ECDH</acronym> key
-        exchange.  It needs to be supported by all clients that connect.
-        Multiple curves can be specified by using a colon-separated list.
-        It does not need to be the same curve used by the server's Elliptic
-        Curve key.  This parameter can only be set in the
+        Specifies the named group to use for <acronym>TLS</acronym> key
+        exchange.  It needs to be supported by all clients that
+        connect.  Multiple groups can be specified by using a colon-separated
+        list.  It does not need to match the key type used by the server
+        certificate.  This parameter can only be set in the
         <filename>postgresql.conf</filename> file or on the server command line.
         The default is <literal>X25519:prime256v1</literal>.
        </para>
@@ -1592,7 +1592,7 @@ include_dir 'conf.d'
        </note>
 
        <para>
-        <productname>OpenSSL</productname> names for the most common curves
+        <productname>OpenSSL</productname> names for the most common groups
         are:
         <literal>prime256v1</literal> (NIST P-256),
         <literal>secp384r1</literal> (NIST P-384),
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 7890e6c2de2..dcc61cb9b20 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -95,7 +95,7 @@ static int	alpn_cb(SSL *ssl,
 					unsigned int inlen,
 					void *userdata);
 static bool initialize_dh(SSL_CTX *context, bool isServerStart);
-static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
+static bool initialize_groups(SSL_CTX *context, bool isServerStart);
 static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement);
 static const char *SSLerrmessage(unsigned long ecode);
 static bool init_host_context(HostsLine *host, bool isServerStart);
@@ -516,7 +516,7 @@ be_tls_init(bool isServerStart)
 	/* set up ephemeral DH and ECDH keys */
 	if (!initialize_dh(context, isServerStart))
 		goto error;
-	if (!initialize_ecdh(context, isServerStart))
+	if (!initialize_groups(context, isServerStart))
 		goto error;
 
 	/* set up the allowed cipher list for TLSv1.2 and below */
@@ -2106,12 +2106,12 @@ initialize_dh(SSL_CTX *context, bool isServerStart)
 }
 
 /*
- * Set ECDH parameters for generating ephemeral Elliptic Curve DH
- * keys.  This is much simpler than the DH parameters, as we just
- * need to provide the name of the curve to OpenSSL.
+ * Set the group(s) to use for TLS key exchange.  This is much simpler
+ * than the static DH parameters, as we just need to provide the
+ * colon-separated list of group names to OpenSSL.
  */
 static bool
-initialize_ecdh(SSL_CTX *context, bool isServerStart)
+initialize_groups(SSL_CTX *context, bool isServerStart)
 {
 	if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1)
 	{
diff --git a/src/backend/utils/misc/guc_parameters.dat b/src/backend/utils/misc/guc_parameters.dat
index afaa058b046..fd45e7d76ec 100644
--- a/src/backend/utils/misc/guc_parameters.dat
+++ b/src/backend/utils/misc/guc_parameters.dat
@@ -2790,7 +2790,7 @@
 },
 
 { name => 'ssl_groups', type => 'string', context => 'PGC_SIGHUP', group => 'CONN_AUTH_SSL',
-  short_desc => 'Sets the group(s) to use for Diffie-Hellman key exchange.',
+  short_desc => 'Sets the named groups to use for TLS key exchange.',
   long_desc => 'Multiple groups can be specified using a colon-separated list.',
   flags => 'GUC_SUPERUSER_ONLY',
   variable => 'SSLECDHCurve',
-- 
2.47.3