Re: ecdh support causes unnecessary roundtrips

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Andres Freund <andres@anarazel.de>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-20T14:58:28Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes:
> When testing before pushing I ran the ssl tests, but my colleague Nazir Bilal
> Yavuz found that two additional test suites need FIPS adjustment.  I will apply
> the attached shortly to fix those as well. Sorry for missing these when testing.

I think this is whack-a-mole.  What I was thinking of proposing
was to conditionally alter the wired-in default, along the lines
of

 #ifdef USE_SSL
+#ifdef PG_FIPS_COMPLIANT
+#define DEFAULT_SSL_GROUPS "prime256v1"
+#else
 #define DEFAULT_SSL_GROUPS "X25519:prime256v1"
+#endif
 #else
 #define DEFAULT_SSL_GROUPS "none"
 #endif

and then people wanting to test on FIPS platforms could just add
-DPG_FIPS_COMPLIANT to their build recipes.

			regards, tom lane



Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange