Re: ecdh support causes unnecessary roundtrips

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-13T22:32:18Z
Lists: pgsql-hackers

Attachments

>> Maybe we can create a lightweight throw-away context in a check hook and ensure
>> the settings work?
> 
> Yeah, I was envisioning something like that.  The main trick would be
> to ensure that we can't error out, but given that we'd mostly be
> calling OpenSSL code, ensuring that there's no ereport(ERROR)
> shouldn't be too hard.

This is sort being added as already as part of the SNI patchset, so I'll see if
I can steal something from there in case that seems to miss the v19 train.

> But I'd counsel getting the easy bits (1) and (2) out of the way
> first.

Absolutely, the attached is what I had planned for addressing this.

--
Daniel Gustafsson

Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange