public inbox for [email protected]
help / color / mirror / Atom feedFrom: Si, Evan <[email protected]>
To: [email protected] <[email protected]>
Subject: [PATCH] Clarify that ssl_groups is for any key exchange groups
Date: Mon, 1 Jun 2026 20:05:01 +0000
Message-ID: <[email protected]> (raw)
Hi,
The ssl_groups parameter introduced in Postgres 18 decided to use a short_desc: "Sets the group(s) to use for Diffie-Hellman key exchange" [1]. The documentation still references curves [2].
However, this parameter is just passed through to SSL_CTX_set1_groups_list. This means the parameter readily accepts values like a pure `MLKEM768`, assuming the crypto lib supports it, which is true since OpenSSL 3.5. Yet these Shor-safe groups are not DH key exchange.
I think it makes sense to modify the documentation to a more generic one to reflect the capabilities of ssl_groups more accurately, e.g. "Sets the named groups to use for TLS key exchange."
A more concrete patch suggestion is attached.
Evan
[1] https://www.postgresql.org/message-id/D44791DD-0CD9-48A7-9471-60593673A91B%40yesql.se
[2] https://www.postgresql.org/docs/18/runtime-config-connection.html#GUC-SSL-GROUPS
Attachments:
[application/octet-stream] 0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch (4.4K, 2-0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch)
download | inline diff:
From b75f295de12246794e769509fde43e3f6d89052c Mon Sep 17 00:00:00 2001
From: Evan Si <[email protected]>
Date: Mon, 1 Jun 2026 18:13:35 +0000
Subject: [PATCH] Clarify that ssl_groups is for any key exchange groups
The current wording seems to suggest that the parameter is only meant for DH.
This introduces minor wording tweaks across comments, short_desc, and the docs to
reflect that it accepts any group.
---
doc/src/sgml/config.sgml | 12 ++++++------
src/backend/libpq/be-secure-openssl.c | 12 ++++++------
src/backend/utils/misc/guc_parameters.dat | 2 +-
3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index cebae4b6d1b..8a94ecd6221 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1573,11 +1573,11 @@ include_dir 'conf.d'
</term>
<listitem>
<para>
- Specifies the name of the curve to use in <acronym>ECDH</acronym> key
- exchange. It needs to be supported by all clients that connect.
- Multiple curves can be specified by using a colon-separated list.
- It does not need to be the same curve used by the server's Elliptic
- Curve key. This parameter can only be set in the
+ Specifies the named group to use for <acronym>TLS</acronym> key
+ exchange. It needs to be supported by all clients that
+ connect. Multiple groups can be specified by using a colon-separated
+ list. It does not need to match the key type used by the server
+ certificate. This parameter can only be set in the
<filename>postgresql.conf</filename> file or on the server command line.
The default is <literal>X25519:prime256v1</literal>.
</para>
@@ -1592,7 +1592,7 @@ include_dir 'conf.d'
</note>
<para>
- <productname>OpenSSL</productname> names for the most common curves
+ <productname>OpenSSL</productname> names for the most common groups
are:
<literal>prime256v1</literal> (NIST P-256),
<literal>secp384r1</literal> (NIST P-384),
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 7890e6c2de2..dcc61cb9b20 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -95,7 +95,7 @@ static int alpn_cb(SSL *ssl,
unsigned int inlen,
void *userdata);
static bool initialize_dh(SSL_CTX *context, bool isServerStart);
-static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
+static bool initialize_groups(SSL_CTX *context, bool isServerStart);
static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement);
static const char *SSLerrmessage(unsigned long ecode);
static bool init_host_context(HostsLine *host, bool isServerStart);
@@ -516,7 +516,7 @@ be_tls_init(bool isServerStart)
/* set up ephemeral DH and ECDH keys */
if (!initialize_dh(context, isServerStart))
goto error;
- if (!initialize_ecdh(context, isServerStart))
+ if (!initialize_groups(context, isServerStart))
goto error;
/* set up the allowed cipher list for TLSv1.2 and below */
@@ -2106,12 +2106,12 @@ initialize_dh(SSL_CTX *context, bool isServerStart)
}
/*
- * Set ECDH parameters for generating ephemeral Elliptic Curve DH
- * keys. This is much simpler than the DH parameters, as we just
- * need to provide the name of the curve to OpenSSL.
+ * Set the group(s) to use for TLS key exchange. This is much simpler
+ * than the static DH parameters, as we just need to provide the
+ * colon-separated list of group names to OpenSSL.
*/
static bool
-initialize_ecdh(SSL_CTX *context, bool isServerStart)
+initialize_groups(SSL_CTX *context, bool isServerStart)
{
if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1)
{
diff --git a/src/backend/utils/misc/guc_parameters.dat b/src/backend/utils/misc/guc_parameters.dat
index afaa058b046..fd45e7d76ec 100644
--- a/src/backend/utils/misc/guc_parameters.dat
+++ b/src/backend/utils/misc/guc_parameters.dat
@@ -2790,7 +2790,7 @@
},
{ name => 'ssl_groups', type => 'string', context => 'PGC_SIGHUP', group => 'CONN_AUTH_SSL',
- short_desc => 'Sets the group(s) to use for Diffie-Hellman key exchange.',
+ short_desc => 'Sets the named groups to use for TLS key exchange.',
long_desc => 'Multiple groups can be specified using a colon-separated list.',
flags => 'GUC_SUPERUSER_ONLY',
variable => 'SSLECDHCurve',
--
2.47.3
view thread (6+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: [PATCH] Clarify that ssl_groups is for any key exchange groups
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox