Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wLSs1-001nX9-0u for pgsql-hackers@arkaria.postgresql.org; Fri, 08 May 2026 21:36:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wLSs0-00BC4R-0P for pgsql-hackers@arkaria.postgresql.org; Fri, 08 May 2026 21:36:28 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wLSrz-00BC4J-2a for pgsql-hackers@lists.postgresql.org; Fri, 08 May 2026 21:36:27 +0000 Received: from sender4-op-o11.zoho.com ([136.143.188.11]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wLSrw-00000000s1r-1Lxw for pgsql-hackers@postgresql.org; Fri, 08 May 2026 21:36:26 +0000 ARC-Seal: i=1; a=rsa-sha256; t=1778276172; cv=none; d=zohomail.com; s=zohoarc; b=ldOREXhV3GQ7/DBK4nFdSX2TzGDNyjk7W05lhd7eW9aBJHBtSlAhwJKThqFnQcrxXEv0c3W0qFXeu0I9R61PTllWBT0RjUv0CQyxi2Me/xY97giHavDBA0jCvrIiPZzRp7xT3fTnSwWg6dDliM+hBdQhPTVSGT5kRRo4deH263g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778276172; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=RHxzDSJ8SKYFvTu7wsFYw2WG9ER6wz47CNQOmpjmUjE=; b=SCEysMTw3feP0j0ZniQ0OmSRdqT8TeWJXPXTIyN2TkbOxj5D2HcKJNtBZiWlcZPIZVSlb4GEfd2UI94uvJEw6qFlPMGO8Wg3UQGP08cIOSl3dwRyA2BkYb2X8+97rlGHxhrSK+wCc7ZZ2MgMuha5aLxdMWL6B/ahs3NFQHIeVpY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=highgo.ca; spf=pass smtp.mailfrom=cary.huang@highgo.ca; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1778276172; s=zoho; d=highgo.ca; i=cary.huang@highgo.ca; h=Date:Date:From:From:To:To:Cc:Cc:Message-ID:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=RHxzDSJ8SKYFvTu7wsFYw2WG9ER6wz47CNQOmpjmUjE=; b=iJFZ/zG3Fx471SwmdcWs5/jjg3yPBS//G93CZk/gcUbtIG7uT5eBff2vzbW+ZwNr tpWZphItBAH223u3nS506htcXZQqDn8WOCYwb+Kxe7FC4mYVpYX7ZMUuUCFRqBUnTiJ nkOPy+71BfvK8Sk78rm67VRaQiK46g+dNYkxbCRs= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1778276170789770.4500598763473; Fri, 8 May 2026 14:36:10 -0700 (PDT) Date: Fri, 08 May 2026 14:36:10 -0700 From: Cary Huang To: "Dmitry Dolgov" <9erthalion6@gmail.com> Cc: "Jacob Champion" , "Daniel Gustafsson" , "PostgreSQL Hackers" Message-ID: <19e0984fc10.339087cd498909.6340608720119447495@highgo.ca> In-Reply-To: References: Subject: Re: Add ssl_(supported|shared)_groups to sslinfo MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi Given that sslinfo is designed to expose diagnostic information about the current TLS connection, I am supportive of extending its functionality. Just some comments about the patch: > /* Send the negotiated group first */ > if (call_cntr == 0) > { > nid = SSL_get_negotiated_group(ssl); > group_type = CStringGetTextDatum("negotiated"); > } > /* Then the shared groups */ > else if (call_cntr < fctx->nshared + 1) > { > nid = SSL_get_shared_group(ssl, call_cntr - 1); > group_type = CStringGetTextDatum("shared"); > } > /* And finally the supported groups */ > else if (call_cntr < fctx->nsupported + fctx->nshared + 1) > { > nid = fctx->supported_groups[call_cntr - fctx->nshared - 1]; > group_type = CStringGetTextDatum("supported"); > } > else > SRF_RETURN_DONE(funcctx); > > /* > * SSL_group_to_name can return NULL in case of an error, e.g. when no > * such name was registered for some reason. > */ > group_name = SSL_group_to_name(ssl, nid); > if (group_name == NULL) > ereport(ERROR, > (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), > errmsg("unknown OpenSSL group at position %d", > call_cntr))); It is possible that SSL_get_negotiated_group() and SSL_get_shared_group() would return NID_undef when there is no negotiated group. The current code will pass that to SSL_group_to_name() and raise an error if it returns NULL. Instead of failing the whole function, would it be better to just omit that row since the function returns a SETOF record? if nid == NID_undef, we could just omit the row instead of making a call to SSL_group_to_name(), which most likely will fail. Also, I found a small typo on documentation: > Lisf of named groups shared with the server side. should be corrected to: List of named groups shared with the server side. thanks! Cary Huang ------------- HighGo Software Inc. (Canada) cary.huang@highgo.ca www.highgo.ca