Re: ecdh support causes unnecessary roundtrips

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Andres Freund <andres@anarazel.de>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Marko Kreen <markokr@gmail.com>, Adrian Klaver <adrian.klaver@gmail.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2025-03-18T15:25:37Z
Lists: pgsql-hackers
> On 18 Mar 2025, at 16:07, Andres Freund <andres@anarazel.de> wrote:
> On 2025-03-18 10:45:41 +0100, Daniel Gustafsson wrote:
>> Thanks for doing that, I'll try to get this in during a break in todays conference.
> 
> Thanks to both of you for fixing this!

No worries, this has now been committed.  Whether or not we can do anything for
backbranches is another discussion.

> I wonder how we could make it easier to find stuff like this and 274bbced853,
> it's pretty painful right now. The SSLKEYLOGFILE stuff being discussed would
> help, but would still require somebody breaking out wireshark or such.
> Perhaps some added trace messages or such?

Maybe, but I fear that most of the interesting tracepoints would be inside
OpenSSL rather than in libpq. Definitely worth investigatint though.

--
Daniel Gustafsson




Commits

  1. doc: Add note to ssl_group config on X25519 and FIPS

  2. Avoid using the X25519 curve in ssl tests

  3. Add X25519 to the default set of curves

  4. SSL: Support ECDH key exchange