public inbox for [email protected]help / color / mirror / Atom feed
Removing broken support for OpenSSL without ECDH 3+ messages / 3 participants [nested] [flat]
* Removing broken support for OpenSSL without ECDH @ 2026-05-22 18:01 Daniel Gustafsson <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Daniel Gustafsson @ 2026-05-22 18:01 UTC (permalink / raw) To: Postgres hackers <[email protected]>; +Cc: Jacob Champion <[email protected]> Commit 316472146 introduced support for ECDH key exchange in 2013, honoring the OPENSSL_NO_ECDH macro for checking it OpenSSL supports ECDH. A few years later in 2015 OpenSSL removed the macro OPENSSL_NO_ECDH by merging OPENSSL_NO_ECDH and OPENSSL_NO_ECDSA into a single OPENSSL_NO_EC macro in commit 10bf4fc2c [0]. PostgreSQL never got the memo though, so our check has been defunct ever since. That being said, using OpenSSL without ECDH support sounds like an anti-feature and not something we want to re-introduce support for, so I propose just removing our useless guards as per the attached. There is clearly no need for backpatching, but I propose applying to master as it cleans up the code. Also, scanning the archives I was unable to find anyone complaining about this not working (which came to no surprise). -- Daniel Gustafsson [0] https://github.com/openssl/openssl/commit/10bf4fc2c Attachments: [application/octet-stream] 0001-Remove-incorrect-OpenSSL-feature-guards.patch (2.3K, 2-0001-Remove-incorrect-OpenSSL-feature-guards.patch) download | inline diff: From b362bc0b9db7af7d0321ab859a62fc7543d99b42 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson <[email protected]> Date: Fri, 22 May 2026 10:40:57 -0700 Subject: [PATCH] Remove incorrect OpenSSL feature guards Commit 316472146 introduced support for ECDH key exchange with an ifdef guard to ensure support in the underlying OpenSSL installation. Commit 10bf4fc2c in OpenSSL removed this guard in 2015 which effectively made our check a no-op. There has been no complaints that this doesn't work and OpenSSL installations without ECDH support are likely very rare, so remove the checks rather than re-implementing support. Also fix a typo introduced in the original commit which had survived till this day. Author: Daniel Gustafsson <[email protected]> Discussion: https://postgr.es/m/... --- src/backend/libpq/be-secure-openssl.c | 4 ---- src/backend/libpq/be-secure.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 877851a73cd..f2738c351f9 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -48,9 +48,7 @@ #include <openssl/bn.h> #include <openssl/conf.h> #include <openssl/dh.h> -#ifndef OPENSSL_NO_ECDH #include <openssl/ec.h> -#endif #include <openssl/x509v3.h> /* @@ -2115,7 +2113,6 @@ initialize_dh(SSL_CTX *context, bool isServerStart) static bool initialize_ecdh(SSL_CTX *context, bool isServerStart) { -#ifndef OPENSSL_NO_ECDH if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1) { /* @@ -2133,7 +2130,6 @@ initialize_ecdh(SSL_CTX *context, bool isServerStart) errhint("Ensure that each group name is spelled correctly and supported by the installed version of OpenSSL.")); return false; } -#endif return true; } diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 617704bb993..86ceea72e64 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -52,7 +52,7 @@ bool ssl_loaded_verify_locations = false; char *SSLCipherSuites = NULL; char *SSLCipherList = NULL; -/* GUC variable for default ECHD curve. */ +/* GUC variable for default ECDH curve. */ char *SSLECDHCurve; /* GUC variable: if false, prefer client ciphers */ -- 2.39.3 (Apple Git-146) ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Removing broken support for OpenSSL without ECDH @ 2026-05-22 18:07 Tom Lane <[email protected]> parent: Daniel Gustafsson <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Tom Lane @ 2026-05-22 18:07 UTC (permalink / raw) To: Daniel Gustafsson <[email protected]>; +Cc: Postgres hackers <[email protected]>; Jacob Champion <[email protected]> Daniel Gustafsson <[email protected]> writes: > That being said, using OpenSSL without ECDH support sounds like an anti-feature > and not something we want to re-introduce support for, so I propose just > removing our useless guards as per the attached. There is clearly no need for > backpatching, but I propose applying to master as it cleans up the code. LGTM. regards, tom lane ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Removing broken support for OpenSSL without ECDH @ 2026-05-26 15:54 Jacob Champion <[email protected]> parent: Tom Lane <[email protected]> 0 siblings, 0 replies; 3+ messages in thread From: Jacob Champion @ 2026-05-26 15:54 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: Daniel Gustafsson <[email protected]>; Postgres hackers <[email protected]> On Fri, May 22, 2026 at 11:07 AM Tom Lane <[email protected]> wrote: > LGTM. +1 --Jacob ^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2026-05-26 15:54 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-05-22 18:01 Removing broken support for OpenSSL without ECDH Daniel Gustafsson <[email protected]> 2026-05-22 18:07 ` Tom Lane <[email protected]> 2026-05-26 15:54 ` Jacob Champion <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox