Re: ecdh support causes unnecessary roundtrips

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-20T15:51:03Z
Lists: pgsql-hackers
> On 20 Feb 2026, at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote:

> and then people wanting to test on FIPS platforms could just add
> -DPG_FIPS_COMPLIANT to their build recipes.

I don't think we will gain much testing that way.  My proposal is to ensure
that the tests always pass with FIPS enabled coupled with a patch, which Bilal
is currently working on, to switch one of the CI jobs to use a FIPS enabled
OpenSSL so that we get ongoing testing of such configurations.

--
Daniel Gustafsson




Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange