| From: | "Si, Evan" <evsi(at)amazon(dot)com> |
|---|---|
| To: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | [PATCH] Clarify that ssl_groups is for any key exchange groups |
| Date: | 2026-06-01 20:05:01 |
| Message-ID: | 23C40DD6-1C47-46FC-A746-8A1D8530AD3E@amazon.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
The ssl_groups parameter introduced in Postgres 18 decided to use a short_desc: "Sets the group(s) to use for Diffie-Hellman key exchange" [1]. The documentation still references curves [2].
However, this parameter is just passed through to SSL_CTX_set1_groups_list. This means the parameter readily accepts values like a pure `MLKEM768`, assuming the crypto lib supports it, which is true since OpenSSL 3.5. Yet these Shor-safe groups are not DH key exchange.
I think it makes sense to modify the documentation to a more generic one to reflect the capabilities of ssl_groups more accurately, e.g. "Sets the named groups to use for TLS key exchange."
A more concrete patch suggestion is attached.
Evan
[1] https://www.postgresql.org/message-id/D44791DD-0CD9-48A7-9471-60593673A91B%40yesql.se
[2] https://www.postgresql.org/docs/18/runtime-config-connection.html#GUC-SSL-GROUPS
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch | application/octet-stream | 4.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joel Jacobson | 2026-06-01 20:06:44 | Re: Key joins |
| Previous Message | Alexander Lakhin | 2026-06-01 20:00:00 | Re: Exit walsender before confirming remote flush in logical replication |