| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Marko Kreen <markokr(at)gmail(dot)com>, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Subject: | Re: ecdh support causes unnecessary roundtrips |
| Date: | 2026-02-09 20:01:09 |
| Message-ID: | 3523994.1770667269@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> On 9 Feb 2026, at 20:41, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> I don't object to X25519 being in the default setting, given that it
>> seems to be widely used. But I think we had better (1) document that
>> you need to remove it if you want to run under FIPS, and (2) fix our
>> SSL-using regression tests to not use it. I wonder also if we could
>> find a way to validate the ssl_groups setting in a check_hook.
> Maybe we can create a lightweight throw-away context in a check hook and ensure
> the settings work?
Yeah, I was envisioning something like that. The main trick would be
to ensure that we can't error out, but given that we'd mostly be
calling OpenSSL code, ensuring that there's no ereport(ERROR)
shouldn't be too hard.
But I'd counsel getting the easy bits (1) and (2) out of the way
first.
> Are you hacking on it or do you want me to pick it up?
I was not planning to work on that.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Corey Huinker | 2026-02-09 20:09:49 | Re: Add expressions to pg_restore_extended_stats() |
| Previous Message | Daniel Gustafsson | 2026-02-09 19:56:13 | Re: ecdh support causes unnecessary roundtrips |