Re: ecdh support causes unnecessary roundtrips

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>, Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2026-02-09T19:56:13Z
Lists: pgsql-hackers
> On 9 Feb 2026, at 20:41, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Daniel Gustafsson <daniel@yesql.se> writes:
>> On 18 Mar 2025, at 16:07, Andres Freund <andres@anarazel.de> wrote:
>>> Thanks to both of you for fixing this!
> 
>> No worries, this has now been committed.  Whether or not we can do anything for
>> backbranches is another discussion.
> 
> I happened to discover that daa02c6bd causes us to fail on FIPS-mode
> platforms, because X25519 is not a permitted ECDH curve under FIPS.

Ugh, seems I missed testing this with a FIPS enabled setup..

> SSL connection attempts fail with
> 
> 2026-02-09 14:29:05.214 EST postmaster[118237] FATAL:  could not set group names specified in ssl_groups: passed invalid argument
> 2026-02-09 14:29:05.214 EST postmaster[118237] HINT:  Ensure that each group name is spelled correctly and supported by the installed version of OpenSSL.
> 
> (This is with OpenSSL 3.0.9 on Fedora 38.)
> 
> The reason this eluded detection by the buildfarm is that
> (a) our animals that run on FIPS-mode platforms aren't using
> --enable-tap-tests, and (b) ssl_groups is not validated in any way
> until we try to load it into an SSL context, ie at the moment of
> actually receiving an SSL connection.
> 
> I don't object to X25519 being in the default setting, given that it
> seems to be widely used.  But I think we had better (1) document that
> you need to remove it if you want to run under FIPS, and (2) fix our
> SSL-using regression tests to not use it.  I wonder also if we could
> find a way to validate the ssl_groups setting in a check_hook.

Maybe we can create a lightweight throw-away context in a check hook and ensure
the settings work?  Are you hacking on it or do you want me to pick it up?

--
Daniel Gustafsson




Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange