Re: ecdh support causes unnecessary roundtrips
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Andres Freund <andres@anarazel.de>,
Jacob Champion <jacob.champion@enterprisedb.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Marko Kreen <markokr@gmail.com>,
Adrian Klaver <adrian.klaver@gmail.com>,
Peter Eisentraut <peter_e@gmx.net>,
Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-20T16:07:42Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes: >> On 20 Feb 2026, at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> and then people wanting to test on FIPS platforms could just add >> -DPG_FIPS_COMPLIANT to their build recipes. > I don't think we will gain much testing that way. My proposal is to ensure > that the tests always pass with FIPS enabled coupled with a patch, which Bilal > is currently working on, to switch one of the CI jobs to use a FIPS enabled > OpenSSL so that we get ongoing testing of such configurations. My concern about the fix you suggest is that we won't be testing the same thing that people in the field will be using. Admittedly, any discrepancy would probably be OpenSSL's bug not ours, but that doesn't make it a good thing. I'd rather test the normal configuration normally and make people who want to run the test on a FIPS platform do something different. regards, tom lane
Commits
-
doc: Add note to ssl_group config on X25519 and FIPS
- db93988ab0e7 19 (unreleased) landed
-
Avoid using the X25519 curve in ssl tests
- 07e90c691358 19 (unreleased) landed
-
Add X25519 to the default set of curves
- daa02c6bd926 18.0 landed
-
SSL: Support ECDH key exchange
- 3164721462d5 9.4.0 cited