Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wQUCO-001afe-05 for pgsql-hackers@arkaria.postgresql.org; Fri, 22 May 2026 18:02:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wQUCK-00DucD-1c for pgsql-hackers@arkaria.postgresql.org; Fri, 22 May 2026 18:02:13 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wQUCK-00Duc5-0Q for pgsql-hackers@lists.postgresql.org; Fri, 22 May 2026 18:02:13 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wQUCI-00000000vVR-3OIc for pgsql-hackers@lists.postgresql.org; Fri, 22 May 2026 18:02:12 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 72F655FC917 for ; Fri, 22 May 2026 20:02:09 +0200 (CEST) Received: from s981.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id 5E58A5FA5F5; Fri, 22 May 2026 20:02:09 +0200 (CEST) Received: from localhost (unknown [172.22.191.5]) by s981.loopia.se (Postfix) with ESMTP id 5CA2322B16B8; Fri, 22 May 2026 20:02:09 +0200 (CEST) X-Virus-Scanned: amavis at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s474.loopia.se (amavis); dkim=pass (2048-bit key) header.d=yesql.se Received: from s981.loopia.se ([172.22.191.5]) by localhost (s474.loopia.se [172.22.190.14]) (amavis, port 10024) with LMTP id GLXYQ6Y68GQH; Fri, 22 May 2026 20:02:09 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 192.75.244.13 Received: from smtpclient.apple (border-p13.nat.sfu.ca [192.75.244.13]) (Authenticated sender: daniel@yesql.se) by s981.loopia.se (Postfix) with ESMTPSA id 6274722B1750; Fri, 22 May 2026 20:02:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1779472928; bh=hFvDF/0nJNmyzpKoIlFnfZkSxF+iI4LY0ATXQYPfvMI=; h=From:Subject:Date:Cc:To; b=WsQWc7xAxjKjYsniEgRZ1Hmmp1I23YMLkY5uiu3Hi5FKcvkEGvJxhhkiC9DxMhTcQ jaGq0UL9km4czdlzY0dHSfqCX/UQk+iQ8tQoC2zneqtjhIE6I9gDNIWauKKlcJFBgn tCyCQkeldsDgIVpK/pq3aFqPjmmigNF/zgWwc57syv/Qi7/KS7rneDVNo924hRbyiU /nsWi1Id0SjgVOnU7xoXXZWyrwZ6G9ieZ3covpigeIwmkyOBHJkJvf7I2o6NHzqYsg lDv30xYCS/EXnBR3GI1IU5O9Z4hQL3AX2O/llfxqAawz2kKXwNyWFJc4Zy8HZvFFSw NKZUvXByKjRyw== From: Daniel Gustafsson Content-Type: multipart/mixed; boundary="Apple-Mail=_2E7EE4B9-0623-428D-85F5-4B5C18D89530" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.12\)) Subject: Removing broken support for OpenSSL without ECDH Message-Id: <1787BA9F-A11C-4A7A-9252-94C470D5CBE3@yesql.se> Date: Fri, 22 May 2026 11:01:55 -0700 Cc: Jacob Champion To: Postgres hackers X-Mailer: Apple Mail (2.3776.700.51.11.12) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --Apple-Mail=_2E7EE4B9-0623-428D-85F5-4B5C18D89530 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Commit 316472146 introduced support for ECDH key exchange in 2013, = honoring the OPENSSL_NO_ECDH macro for checking it OpenSSL supports ECDH. A few = years later in 2015 OpenSSL removed the macro OPENSSL_NO_ECDH by merging = OPENSSL_NO_ECDH and OPENSSL_NO_ECDSA into a single OPENSSL_NO_EC macro in commit = 10bf4fc2c [0]. PostgreSQL never got the memo though, so our check has been defunct ever = since. That being said, using OpenSSL without ECDH support sounds like an = anti-feature and not something we want to re-introduce support for, so I propose just removing our useless guards as per the attached. There is clearly no = need for backpatching, but I propose applying to master as it cleans up the code. Also, scanning the archives I was unable to find anyone complaining = about this not working (which came to no surprise). -- Daniel Gustafsson [0] https://github.com/openssl/openssl/commit/10bf4fc2c --Apple-Mail=_2E7EE4B9-0623-428D-85F5-4B5C18D89530 Content-Disposition: attachment; filename=0001-Remove-incorrect-OpenSSL-feature-guards.patch Content-Type: application/octet-stream; x-unix-mode=0644; name="0001-Remove-incorrect-OpenSSL-feature-guards.patch" Content-Transfer-Encoding: quoted-printable =46rom=20b362bc0b9db7af7d0321ab859a62fc7543d99b42=20Mon=20Sep=2017=20= 00:00:00=202001=0AFrom:=20Daniel=20Gustafsson=20= =0ADate:=20Fri,=2022=20May=202026=2010:40:57=20= -0700=0ASubject:=20[PATCH]=20Remove=20incorrect=20OpenSSL=20feature=20= guards=0A=0ACommit=20316472146=20introduced=20support=20for=20ECDH=20key=20= exchange=20with=20an=20ifdef=0Aguard=20to=20ensure=20support=20in=20the=20= underlying=20OpenSSL=20installation.=20=20Commit=0A10bf4fc2c=20in=20= OpenSSL=20removed=20this=20guard=20in=202015=20which=20effectively=20= made=0Aour=20check=20a=20no-op.=20=20There=20has=20been=20no=20= complaints=20that=20this=20doesn't=20work=0Aand=20OpenSSL=20= installations=20without=20ECDH=20support=20are=20likely=20very=20rare,=20= so=0Aremove=20the=20checks=20rather=20than=20re-implementing=20support.=0A= =0AAlso=20fix=20a=20typo=20introduced=20in=20the=20original=20commit=20= which=20had=20survived=0Atill=20this=20day.=0A=0AAuthor:=20Daniel=20= Gustafsson=20=0ADiscussion:=20https://postgr.es/m/...=0A= ---=0A=20src/backend/libpq/be-secure-openssl.c=20|=204=20----=0A=20= src/backend/libpq/be-secure.c=20=20=20=20=20=20=20=20=20|=202=20+-=0A=20= 2=20files=20changed,=201=20insertion(+),=205=20deletions(-)=0A=0Adiff=20= --git=20a/src/backend/libpq/be-secure-openssl.c=20= b/src/backend/libpq/be-secure-openssl.c=0Aindex=20= 877851a73cd..f2738c351f9=20100644=0A---=20= a/src/backend/libpq/be-secure-openssl.c=0A+++=20= b/src/backend/libpq/be-secure-openssl.c=0A@@=20-48,9=20+48,7=20@@=0A=20= #include=20=0A=20#include=20=0A=20#include=20= =0A-#ifndef=20OPENSSL_NO_ECDH=0A=20#include=20= =0A-#endif=0A=20#include=20=0A=20=0A=20= /*=0A@@=20-2115,7=20+2113,6=20@@=20initialize_dh(SSL_CTX=20*context,=20= bool=20isServerStart)=0A=20static=20bool=0A=20initialize_ecdh(SSL_CTX=20= *context,=20bool=20isServerStart)=0A=20{=0A-#ifndef=20OPENSSL_NO_ECDH=0A=20= =09if=20(SSL_CTX_set1_groups_list(context,=20SSLECDHCurve)=20!=3D=201)=0A= =20=09{=0A=20=09=09/*=0A@@=20-2133,7=20+2130,6=20@@=20= initialize_ecdh(SSL_CTX=20*context,=20bool=20isServerStart)=0A=20=09=09=09= =09errhint("Ensure=20that=20each=20group=20name=20is=20spelled=20= correctly=20and=20supported=20by=20the=20installed=20version=20of=20= OpenSSL."));=0A=20=09=09return=20false;=0A=20=09}=0A-#endif=0A=20=0A=20=09= return=20true;=0A=20}=0Adiff=20--git=20a/src/backend/libpq/be-secure.c=20= b/src/backend/libpq/be-secure.c=0Aindex=20617704bb993..86ceea72e64=20= 100644=0A---=20a/src/backend/libpq/be-secure.c=0A+++=20= b/src/backend/libpq/be-secure.c=0A@@=20-52,7=20+52,7=20@@=20bool=09=09= ssl_loaded_verify_locations=20=3D=20false;=0A=20char=09=20=20=20= *SSLCipherSuites=20=3D=20NULL;=0A=20char=09=20=20=20*SSLCipherList=20=3D=20= NULL;=0A=20=0A-/*=20GUC=20variable=20for=20default=20ECHD=20curve.=20*/=0A= +/*=20GUC=20variable=20for=20default=20ECDH=20curve.=20*/=0A=20char=09=20= =20=20*SSLECDHCurve;=0A=20=0A=20/*=20GUC=20variable:=20if=20false,=20= prefer=20client=20ciphers=20*/=0A--=20=0A2.39.3=20(Apple=20Git-146)=0A=0A= --Apple-Mail=_2E7EE4B9-0623-428D-85F5-4B5C18D89530--