Re: ecdh support causes unnecessary roundtrips
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>,
Jacob Champion <jacob.champion@enterprisedb.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Marko Kreen <markokr@gmail.com>,
Adrian Klaver <adrian.klaver@gmail.com>,
Peter Eisentraut <peter_e@gmx.net>,
Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-20T17:53:19Z
Lists: pgsql-hackers
> On 20 Feb 2026, at 17:07, Tom Lane <tgl@sss.pgh.pa.us> wrote: > My concern about the fix you suggest is that we won't be testing the > same thing that people in the field will be using. Yes and no. Folks can configure this (and other ssl_* settings) in lots of different way which are all disjoint from our default. > I'd rather test the normal configuration > normally and make people who want to run the test on a FIPS platform > do something different. How about a function in Cluster.pm which returns whether the underlying OpenSSL is using FIPS or not, and if it does we adjust the config to make it not fail on an unallowed group? That way we can have a CI job that runs with FIPS and the adjusted test config, and the rest - along with the Buildfarm - runs the default config. -- Daniel Gustafsson
Commits
-
doc: Add note to ssl_group config on X25519 and FIPS
- db93988ab0e7 19 (unreleased) landed
-
Avoid using the X25519 curve in ssl tests
- 07e90c691358 19 (unreleased) landed
-
Add X25519 to the default set of curves
- daa02c6bd926 18.0 landed
-
SSL: Support ECDH key exchange
- 3164721462d5 9.4.0 cited