Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wUyKF-001a4v-12
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 04 Jun 2026 03:00:55 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wUyKE-004a18-03
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 04 Jun 2026 03:00:54 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <kdbase.hack@gmail.com>)
	id 1wUyKD-004a0z-1p
	for pgsql-hackers@lists.postgresql.org;
	Thu, 04 Jun 2026 03:00:53 +0000
Received: from mail-lf1-x132.google.com ([2a00:1450:4864:20::132])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <kdbase.hack@gmail.com>)
	id 1wUyKB-00000001AKh-0xmb
	for pgsql-hackers@lists.postgresql.org;
	Thu, 04 Jun 2026 03:00:53 +0000
Received: by mail-lf1-x132.google.com with SMTP id
 2adb3069b0e04-5aa5f11deb2so194147e87.3
        for <pgsql-hackers@lists.postgresql.org>;
 Wed, 03 Jun 2026 20:00:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780542048; cv=none;
        d=google.com; s=arc-20240605;
        b=i8PxHQZDZ+UwzA4rikuIS7VobJu4H19GJKs4Wd99tadKMucwASAb69Eufosxxgghku
         s2iW54EEGim3vAKt9wtMEE7F0onJH0VioIA6lnUC1kAkANHrbMH6++83IrViW0zJ6nO+
         QbK2u5yYftLyUKqS3k1SOQ0VXbsvBIjQ3YAKG/75STmtz6JMhIQxA8HzGFXAl3rU3pZv
         Ux3hoyS0l+Ak/wk3+zVFnGNwzyp5ZMYCsa3lgyd65mVJ+0AwTS7IBjIdvbc4E05LH593
         c8pKridOq7DaJQa5mGUdIG08HgE9OiDbsGBZ/Sed14BfueIlT2u3R5z74mf0GNk4jyMQ
         gkVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=difP/My49Yn4M/VYdYt7Jtm351WMvCsQY0ka90w8NvE=;
        fh=bcS3IFayU9yiqd+zqzQBrAataCxup0o+eoejUrsAG/w=;
        b=DkThzCai5I40XB8Nc6Uwe+yQJvAc5ZdOpVXJQ9WQiVCv4OjB/suX1nfjaVkj+1r+/2
         brdVoLHiGLn5wyMZ+eYhHrUh6bmXCIXJKTJZ1u+8jqzXKVafNEeJI1e/Uf4gotFN2+9Y
         tHa4u43RZoIPNahUGgI7a/joEIFwDfgOT2d60P4nZlfnwZ9dStyye9AHNOb2bquBrFN9
         G7z5Uh7Y0EMu1gJqcIOCZIQcQrR9CA+vX8Kimo/gxxAnSnqK/TdEsVRknu08pGkPyaOx
         90fsNmzUsQTVBVQlmaUNQ3NFioVpLzEWPrxvwb7Xy5iVdiz9bWsjH7CFheEOjc8tXOiI
         ruHQ==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780542048; x=1781146848;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=difP/My49Yn4M/VYdYt7Jtm351WMvCsQY0ka90w8NvE=;
        b=ZLAftE4Qt8V66TX8OGH6YjsranygN6jz9gQQYLPS+FcsQVEWr3g/ANaRgGRpQbvNBk
         QB/hWbTH46LFDRFn1PdpCl2fXlcFjFDRH6OlhERCVdxB9DviK7tmkvXeM+bHgXeIvNTH
         ow4OU28KxhchzgiyGEi43+6bUmJPU8Ze2tZihwMD78S9CSY2IS70TZ+XeVLJNRxG3ZQG
         4o65M5RZ0iMBQzYZujG+/ro/C0qmkApOppbcrWTL4oIrQOPkwvZIyCcZDcPRuZE4SHLf
         xgobxAjnE8iZjyFOGP3MhuhpwRhNz/LWQTOqAH8YMqgJvjZkk5nA3QXGzYvZ4tvZtIgo
         lg9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780542048; x=1781146848;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=difP/My49Yn4M/VYdYt7Jtm351WMvCsQY0ka90w8NvE=;
        b=RI9F65PXkjz0wSmYkgnGyIc26p0dvqasO3Kr9dyVP/4tRZbGEiYLERASE72T0Yapok
         nGzt1itDUy47spAU0/ToUHY3gFYWoboBSDHxoyk/Rmt+6kc/3VnQ4VFgnXB8aoDpL0hZ
         sICNvWrQSPwdwy6nut/H/NvOL3NeH2UIhSmL8TqpgxyV1A8DZ0otO5PM797uMi8VbSaQ
         igHWiYSFTcfhtk253xeBhWgdBC+CuKgXzT2gVYylcc3ew0wlbIXmAD5ZT4ODKhnYzRbF
         d9AFcGfXPhdCqfUpWhdAiUK77MOovfUfm2lft78bDxMVgFdg007t4FAIBuv0zcicGqwZ
         9hHQ==
X-Gm-Message-State: AOJu0Ywog212TGVWBcyg3r+Ag3eaQOrojhHyd9XoXrwGuvbYWJbL6ETC
	eByViSKPSs6uppUhYOSp3WttSCjCR174GjvryQegKWmpg9hOdiZSu9BsrlBxMm/NF/5+oZeDLfD
	27Mahqm8Qn4JQ6CO5GBNpKj5RU45kqAmUaPZAVVM7urSOdt4=
X-Gm-Gg: Acq92OHLoY6NEeUVa/sQen/NjWOIs2418/24kcy9BpCANzaT/FuDk2QUWj+e1Q2OO+H
	wimX18tZjg7v8jM9QzyRIiT9viVNQf25hR/aD3sWuhhIuXQWETPSd4TsBIGBJW5qxea5Y4EstDT
	ryKkNbq0kL1d88YVyj2crFHhsJKhrXFUJYrX4cbjecpMGF/QOzD/6gO4ARas7hCo9grsYJJtnhV
	2/Oc8Z2QmB1vsVBK9z+3TYW7PP0UVTO5exjVX1Du+HRV6dJys1jXK1rY50jzj8yL5vbjTuMOr8y
	nswuCmNc8vhDE8cISUWgwek6PiJUJxhGk4RyTDlpizWzFZysXO19
X-Received: by 2002:a05:6512:1313:b0:5a8:7317:5417 with SMTP id
 2adb3069b0e04-5aa7c08d4c4mr2271508e87.9.1780542048229; Wed, 03 Jun 2026
 20:00:48 -0700 (PDT)
MIME-Version: 1.0
References: <273BE242-48AE-41EE-8CDD-7A981502B056@amazon.com>
In-Reply-To: <273BE242-48AE-41EE-8CDD-7A981502B056@amazon.com>
From: Ewan Young <kdbase.hack@gmail.com>
Date: Thu, 4 Jun 2026 11:00:34 +0800
X-Gm-Features: AVVi8CcpaJ7FtKMhRZsq9hncUAg293MTIVIFJerC6f88OS9z78tquj-cojgtfcs
Message-ID: 
 <CAON2xHOaR0_Ga7PwbHgp1yTpXg_bwjj6qeAd2D2Veg6WKvMdSg@mail.gmail.com>
Subject: Re: [PATCH] Clarify that ssl_groups is for any key exchange groups
To: "Si, Evan" <evsi@amazon.com>
Cc: "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAON2xHOaR0_Ga7PwbHgp1yTpXg_bwjj6qeAd2D2Veg6WKvMdSg%40mail.gmail.com>
Precedence: bulk

On Thu, Jun 4, 2026 at 1:29=E2=80=AFAM Si, Evan <evsi@amazon.com> wrote:
>
> On 6/2/26, 11:32 PM, "Ewan Young" <kdbase.hack@gmail.com <mailto:kdbase.h=
ack@gmail.com>> wrote:
> >
> > +1 for the idea. (I'm fairly new here, so please take my comments with
> > a grain of salt.)
>
> Thanks for the review!
>
> > 1. The comment just above the renamed call in be_tls_init() still
> > says "set up ephemeral DH and ECDH keys". Maybe it should be
> > updated to match?
>
> Right, that makes sense. I did a larger grep and updated comments where I=
 found stale references to curves and (EC)DH.

Thanks!  I re-did the grep on v2 and found no remaining stale references.

>
> > 2. The SSLECDHCurve variable (and its "GUC variable for default ECDH
> > curve" comment in be-secure.c) still uses the old naming. I wasn't
> > sure if that was left out intentionally to keep the patch small --
> > if not, would it make sense to rename it too, for consistency with
> > the initialize_groups() rename?
>
> This also seems reasonable. I didn't find usage of this extern outside of=
 Postgres itself in the wild from a brief search.
>
> Attached a revision.
>
> Evan
>

I tested v2 on top of current master:
- applies cleanly, builds without warnings (--with-openssl)
- src/test/ssl TAP suite passes

v2 looks good to me, and I have nothing further.

Best regards,
Ewan Young