From b75f295de12246794e769509fde43e3f6d89052c Mon Sep 17 00:00:00 2001 From: Evan Si Date: Mon, 1 Jun 2026 18:13:35 +0000 Subject: [PATCH] Clarify that ssl_groups is for any key exchange groups The current wording seems to suggest that the parameter is only meant for DH. This introduces minor wording tweaks across comments, short_desc, and the docs to reflect that it accepts any group. --- doc/src/sgml/config.sgml | 12 ++++++------ src/backend/libpq/be-secure-openssl.c | 12 ++++++------ src/backend/utils/misc/guc_parameters.dat | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index cebae4b6d1b..8a94ecd6221 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1573,11 +1573,11 @@ include_dir 'conf.d' - Specifies the name of the curve to use in ECDH key - exchange. It needs to be supported by all clients that connect. - Multiple curves can be specified by using a colon-separated list. - It does not need to be the same curve used by the server's Elliptic - Curve key. This parameter can only be set in the + Specifies the named group to use for TLS key + exchange. It needs to be supported by all clients that + connect. Multiple groups can be specified by using a colon-separated + list. It does not need to match the key type used by the server + certificate. This parameter can only be set in the postgresql.conf file or on the server command line. The default is X25519:prime256v1. @@ -1592,7 +1592,7 @@ include_dir 'conf.d' - OpenSSL names for the most common curves + OpenSSL names for the most common groups are: prime256v1 (NIST P-256), secp384r1 (NIST P-384), diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 7890e6c2de2..dcc61cb9b20 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -95,7 +95,7 @@ static int alpn_cb(SSL *ssl, unsigned int inlen, void *userdata); static bool initialize_dh(SSL_CTX *context, bool isServerStart); -static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); +static bool initialize_groups(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement); static const char *SSLerrmessage(unsigned long ecode); static bool init_host_context(HostsLine *host, bool isServerStart); @@ -516,7 +516,7 @@ be_tls_init(bool isServerStart) /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) goto error; - if (!initialize_ecdh(context, isServerStart)) + if (!initialize_groups(context, isServerStart)) goto error; /* set up the allowed cipher list for TLSv1.2 and below */ @@ -2106,12 +2106,12 @@ initialize_dh(SSL_CTX *context, bool isServerStart) } /* - * Set ECDH parameters for generating ephemeral Elliptic Curve DH - * keys. This is much simpler than the DH parameters, as we just - * need to provide the name of the curve to OpenSSL. + * Set the group(s) to use for TLS key exchange. This is much simpler + * than the static DH parameters, as we just need to provide the + * colon-separated list of group names to OpenSSL. */ static bool -initialize_ecdh(SSL_CTX *context, bool isServerStart) +initialize_groups(SSL_CTX *context, bool isServerStart) { if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1) { diff --git a/src/backend/utils/misc/guc_parameters.dat b/src/backend/utils/misc/guc_parameters.dat index afaa058b046..fd45e7d76ec 100644 --- a/src/backend/utils/misc/guc_parameters.dat +++ b/src/backend/utils/misc/guc_parameters.dat @@ -2790,7 +2790,7 @@ }, { name => 'ssl_groups', type => 'string', context => 'PGC_SIGHUP', group => 'CONN_AUTH_SSL', - short_desc => 'Sets the group(s) to use for Diffie-Hellman key exchange.', + short_desc => 'Sets the named groups to use for TLS key exchange.', long_desc => 'Multiple groups can be specified using a colon-separated list.', flags => 'GUC_SUPERUSER_ONLY', variable => 'SSLECDHCurve', -- 2.47.3