Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wUf9Q-001LVr-1J
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 03 Jun 2026 06:32:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wUf9O-00Halg-0o
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 03 Jun 2026 06:32:26 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <kdbase.hack@gmail.com>)
	id 1wUf9N-00HalX-34
	for pgsql-hackers@lists.postgresql.org;
	Wed, 03 Jun 2026 06:32:25 +0000
Received: from mail-yx1-xb12a.google.com ([2607:f8b0:4864:20::b12a])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <kdbase.hack@gmail.com>)
	id 1wUf9M-00000000rqh-1TmE
	for pgsql-hackers@lists.postgresql.org;
	Wed, 03 Jun 2026 06:32:25 +0000
Received: by mail-yx1-xb12a.google.com with SMTP id
 956f58d0204a3-66043ecf6b3so6137077d50.0
        for <pgsql-hackers@lists.postgresql.org>;
 Tue, 02 Jun 2026 23:32:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780468344; cv=none;
        d=google.com; s=arc-20240605;
        b=Dd4opq+EoaYubfU+JFVcrtleBpYr9M1gNnn4jVZB8oMmObIjH35DXst2CwtOc150XF
         1pKbn3y18LTE74IRlaTzHoa5IJu0HuaNMMRF4Utg85A8aqolFfC5HflbNjhoCti3oTKx
         GOgpa+yiRDpivXPuB9/m4k0iSiyFfmEZPloZxDLQqKb7UMyW7lhbp+jyA6oxekQmCZFV
         GY1PvwL2xM10g1X0phDdHdD+xvgk0uILvNkFMFA6WhwTVtLmMflEknvaWisjpiM8dooz
         kQ6Fsxs4SAsBs2QbSpZuyxLGeiKhFFpOJ8oxlmELz66tsfXJoIwMpF/4LQZgJTuaHsHY
         WUdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=E+qwjeTiLjooIw00uUHazcDsMJVPG4h2JrDF0OKGGLA=;
        fh=bcS3IFayU9yiqd+zqzQBrAataCxup0o+eoejUrsAG/w=;
        b=MobTj4b0tvKg5UVzyVMphbj7gpwBKskvr0Vv6SrRf066CN4owhBLv13VheDqYDexE5
         2SfKsxelvOqi9oGhtl1N8BswyP4IaC7eFTkzsD1uurIz3khZ91YXHc8nIOQIWiakHcRc
         s+X0thRqOBWNf8CNnYTnyZ1s5tNfDrUAv3xVsRsxaQRw1ba195EPpTd9L5+EFgGVStKY
         OM9Tj6MxBlJBIwOQS4ZcIHHpVdtAfFwQ/CHQ2t2QTYcFC8/f8hX7SEcZU5H/ktZAcHin
         BBnSukUZ/ZA8ZMpcOV3gu+V2iOlrv83FgdV3G94sC7lJJRMEsQpYi7x4VXUNyhZ05ngZ
         Zycg==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780468344; x=1781073144;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=E+qwjeTiLjooIw00uUHazcDsMJVPG4h2JrDF0OKGGLA=;
        b=axUeJHuk1anwUVV43EpJzD1FS5VhQilhgrDSnavb+qfr7pUPFoWm2m3bdwvQ69joZ6
         C5qNCcb5mDpH/t4+6BiFIUiQzMQ2P20Ydsk3Rh/TnpXwn7I5jP04Z6Cg0Wz6AH6bHjY5
         YIg231g4zfNkaYsRNhDsenkA8/YIboK5OB9hya/oHYwC6jVMDWFZz8xJak0hJ6Or87GN
         pw67f74UgQlt9jG9tD7yYR0tz8Hhj7p2hcmK0l5DnhHHgi0TBgD7f9czUqywo8zG95Cq
         7uMl/ULKlXEsC1gpEVHq+g24kxAdYAPLfBB/kVHMvik6DvcxnyzNrOy2uB/jHOW7gAmW
         ZaSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780468344; x=1781073144;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=E+qwjeTiLjooIw00uUHazcDsMJVPG4h2JrDF0OKGGLA=;
        b=Q1bsBKJRXDUFaIE8KZQlHPL583hccVcXdc6iYc4TBGTWGLfK1w7TaYiLIKJu4XS6NQ
         ugSvnQun6Mez2iBTJu5yT+0CCf4lFarv/UEa/Ls9kEWNIdX7o6wCmmLx1XFVaGPDdBAF
         q4bgvJ4azw0IPdvgqMttOzaztFLlgNcZLKvOXRgr3c4qDB7ryXqgFE5/quoQs74J4JMJ
         jBnMIRqmubUAnzjEJkr6QqZaT+cJk9EfgME/blbJ0Z6SgQ2Om38yhdkahyQ6Yp2Zchim
         SjKBKD2A3gVGkgMicCsRNTGYKc/X41lRlHiTWrpAD3Nudh4Q5opDmDGS6SPtapOA9Pru
         BKCg==
X-Gm-Message-State: AOJu0Yxx5ZHFEo6qy42QzPscZEuw3wA47ldnSR/2e1U+GRf6g2Hrvh0N
	BUqwI24Spc+mzTnCS9MYQn4XyFtRLxbQAItuNSxz5nuncNP1ixKIl1kfyifoTFaxHzz38qsqEZL
	pglFDDR7VPP1qB4Clh/OI7/IJ08K3Gqg=
X-Gm-Gg: Acq92OHs+8Hs0JygWPWakObvL+YSbygM8tM/WUDMc0UHCw37joJ87JMEMXpZKoYR1Ct
	oaAEOlSzYSgendKqTSZoT3iO50Qu5PaL1CFHV1xI5vqqhwEbb7aqSMg/NCyslq7SVOIhC8Q2O0M
	pAvYQbh9p2MHLOIvTu2GHw1F7nzeY+TxvhjmmqO4xjE8yFP/DeiwT23dwAQK21ahbDJkjIwc6vA
	Wjm1X7k0DdZoyTiC6S6lKZUySyF/9Cmg7RAartR1OYN5toscRD692MQoBZZWIYo0xkQCnOjWLl/
	TOWossUjF9N9FrWTGlOjKGXNNqUaTk407lt6
X-Received: by 2002:a05:690e:4195:b0:660:3b5c:6a03 with SMTP id
 956f58d0204a3-660dc5f29d7mr1611093d50.61.1780468343600; Tue, 02 Jun 2026
 23:32:23 -0700 (PDT)
MIME-Version: 1.0
References: <23C40DD6-1C47-46FC-A746-8A1D8530AD3E@amazon.com>
In-Reply-To: <23C40DD6-1C47-46FC-A746-8A1D8530AD3E@amazon.com>
From: Ewan Young <kdbase.hack@gmail.com>
Date: Wed, 3 Jun 2026 14:32:12 +0800
X-Gm-Features: AVHnY4Jx9I4Vc-8snuYYNqulv18H8SPkd1tVAlUT7ru8mg3INKevW9h3MfslFog
Message-ID: 
 <CAON2xHNVaUqd57cm9-roMmFfXVAWz7+qWSNYm=1JyQpEi4zVWw@mail.gmail.com>
Subject: Re: [PATCH] Clarify that ssl_groups is for any key exchange groups
To: "Si, Evan" <evsi@amazon.com>
Cc: "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAON2xHNVaUqd57cm9-roMmFfXVAWz7%2BqWSNYm%3D1JyQpEi4zVWw%40mail.gmail.com>
Precedence: bulk

On Tue, Jun 2, 2026 at 4:05=E2=80=AFAM Si, Evan <evsi@amazon.com> wrote:
>
> Hi,
>
> The ssl_groups parameter introduced in Postgres 18 decided to use a short=
_desc: "Sets the group(s) to use for Diffie-Hellman key exchange" [1]. The =
documentation still references curves [2].
>
> However, this parameter is just passed through to SSL_CTX_set1_groups_lis=
t. This means the parameter readily accepts values like a pure `MLKEM768`, =
assuming the crypto lib supports it, which is true since OpenSSL 3.5. Yet t=
hese Shor-safe groups are not DH key exchange.
>
> I think it makes sense to modify the documentation to a more generic one =
to reflect the capabilities of ssl_groups more accurately, e.g. "Sets the n=
amed groups to use for TLS key exchange."
>
> A more concrete patch suggestion is attached.
>
> Evan
Hi,

+1 for the idea. (I'm fairly new here, so please take my comments with
a grain of salt.)

I tried the patch on HEAD: it applies cleanly, and the new short_desc shows=
 up
correctly in postgres --describe-config.

While reading it I noticed two small things:
1. The comment just above the renamed call in be_tls_init() still
   says "set up ephemeral DH and ECDH keys". Maybe it should be
   updated to match?

2. The SSLECDHCurve variable (and its "GUC variable for default ECDH
   curve" comment in be-secure.c) still uses the old naming. I wasn't
   sure if that was left out intentionally to keep the patch small --
   if not, would it make sense to rename it too, for consistency with
   the initialize_groups() rename?

Regards,
Ewan
>
> [1] https://www.postgresql.org/message-id/D44791DD-0CD9-48A7-9471-6059367=
3A91B%40yesql.se
> [2] https://www.postgresql.org/docs/18/runtime-config-connection.html#GUC=
-SSL-GROUPS
>
>