Re: ecdh support causes unnecessary roundtrips

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Andres Freund <andres@anarazel.de>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-20T19:17:42Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes:
> On 20 Feb 2026, at 17:07, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I'd rather test the normal configuration
>> normally and make people who want to run the test on a FIPS platform
>> do something different.

> How about a function in Cluster.pm which returns whether the underlying OpenSSL
> is using FIPS or not, and if it does we adjust the config to make it not fail
> on an unallowed group?  That way we can have a CI job that runs with FIPS and
> the adjusted test config, and the rest - along with the Buildfarm - runs the
> default config.

If we can get that information easily, then sure.

BTW, I think we should be back-patching these fixes into v18, since
the testing hazard exists there too.  But maybe wait till after the
re-release is finished.

			regards, tom lane



Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange