| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Marko Kreen <markokr(at)gmail(dot)com>, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Subject: | Re: ecdh support causes unnecessary roundtrips |
| Date: | 2026-02-20 14:58:28 |
| Message-ID: | 2880993.1771599508@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> When testing before pushing I ran the ssl tests, but my colleague Nazir Bilal
> Yavuz found that two additional test suites need FIPS adjustment. I will apply
> the attached shortly to fix those as well. Sorry for missing these when testing.
I think this is whack-a-mole. What I was thinking of proposing
was to conditionally alter the wired-in default, along the lines
of
#ifdef USE_SSL
+#ifdef PG_FIPS_COMPLIANT
+#define DEFAULT_SSL_GROUPS "prime256v1"
+#else
#define DEFAULT_SSL_GROUPS "X25519:prime256v1"
+#endif
#else
#define DEFAULT_SSL_GROUPS "none"
#endif
and then people wanting to test on FIPS platforms could just add
-DPG_FIPS_COMPLIANT to their build recipes.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vitaly Davydov | 2026-02-20 15:07:07 | Re: Support logical replication of DDLs |
| Previous Message | Heikki Linnakangas | 2026-02-20 14:22:48 | Re: Interrupts vs signals |