Re: ecdh support causes unnecessary roundtrips
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>,
Jacob Champion <jacob.champion@enterprisedb.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Marko Kreen <markokr@gmail.com>,
Adrian Klaver <adrian.klaver@gmail.com>,
Peter Eisentraut <peter_e@gmx.net>,
Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-13T22:32:18Z
Lists: pgsql-hackers
Attachments
- 0002-doc-Add-note-to-ssl_group-config-on-X25519-and-FIPS.patch (application/octet-stream) patch 0002
- 0001-Avoid-using-the-X25519-curve-in-ssl-tests.patch (application/octet-stream) patch 0001
>> Maybe we can create a lightweight throw-away context in a check hook and ensure >> the settings work? > > Yeah, I was envisioning something like that. The main trick would be > to ensure that we can't error out, but given that we'd mostly be > calling OpenSSL code, ensuring that there's no ereport(ERROR) > shouldn't be too hard. This is sort being added as already as part of the SNI patchset, so I'll see if I can steal something from there in case that seems to miss the v19 train. > But I'd counsel getting the easy bits (1) and (2) out of the way > first. Absolutely, the attached is what I had planned for addressing this. -- Daniel Gustafsson
Commits
-
doc: Add note to ssl_group config on X25519 and FIPS
- db93988ab0e7 19 (unreleased) landed
-
Avoid using the X25519 curve in ssl tests
- 07e90c691358 19 (unreleased) landed
-
Add X25519 to the default set of curves
- daa02c6bd926 18.0 landed
-
SSL: Support ECDH key exchange
- 3164721462d5 9.4.0 cited