Removing broken support for OpenSSL without ECDH

public inbox for pgsql-hackers@postgresql.org  
help / color / mirror / Atom feed

Removing broken support for OpenSSL without ECDH
2+ messages / 2 participants
[nested] [flat]

* Removing broken support for OpenSSL without ECDH
@ 2026-05-22 18:01 Daniel Gustafsson <daniel@yesql.se>
  2026-05-22 18:07 ` Re: Removing broken support for OpenSSL without ECDH Tom Lane <tgl@sss.pgh.pa.us>
  0 siblings, 1 reply; 2+ messages in thread

From: Daniel Gustafsson @ 2026-05-22 18:01 UTC (permalink / raw)
  To: Postgres hackers <pgsql-hackers@lists.postgresql.org>; +Cc: Jacob Champion <jacob.champion@enterprisedb.com>

Commit 316472146 introduced support for ECDH key exchange in 2013, honoring the
OPENSSL_NO_ECDH macro for checking it OpenSSL supports ECDH.  A few years later
in 2015 OpenSSL removed the macro OPENSSL_NO_ECDH by merging OPENSSL_NO_ECDH
and OPENSSL_NO_ECDSA into a single OPENSSL_NO_EC macro in commit 10bf4fc2c [0].
PostgreSQL never got the memo though, so our check has been defunct ever since.

That being said, using OpenSSL without ECDH support sounds like an anti-feature
and not something we want to re-introduce support for, so I propose just
removing our useless guards as per the attached.  There is clearly no need for
backpatching, but I propose applying to master as it cleans up the code.

Also, scanning the archives I was unable to find anyone complaining about this
not working (which came to no surprise).

--
Daniel Gustafsson

[0] https://github.com/openssl/openssl/commit/10bf4fc2c

Attachments:

  [application/octet-stream] 0001-Remove-incorrect-OpenSSL-feature-guards.patch (2.3K, 2-0001-Remove-incorrect-OpenSSL-feature-guards.patch)
  download | inline diff:
From b362bc0b9db7af7d0321ab859a62fc7543d99b42 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Fri, 22 May 2026 10:40:57 -0700
Subject: [PATCH] Remove incorrect OpenSSL feature guards

Commit 316472146 introduced support for ECDH key exchange with an ifdef
guard to ensure support in the underlying OpenSSL installation.  Commit
10bf4fc2c in OpenSSL removed this guard in 2015 which effectively made
our check a no-op.  There has been no complaints that this doesn't work
and OpenSSL installations without ECDH support are likely very rare, so
remove the checks rather than re-implementing support.

Also fix a typo introduced in the original commit which had survived
till this day.

Author: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/...
---
 src/backend/libpq/be-secure-openssl.c | 4 ----
 src/backend/libpq/be-secure.c         | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 877851a73cd..f2738c351f9 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -48,9 +48,7 @@
 #include <openssl/bn.h>
 #include <openssl/conf.h>
 #include <openssl/dh.h>
-#ifndef OPENSSL_NO_ECDH
 #include <openssl/ec.h>
-#endif
 #include <openssl/x509v3.h>

 /*
@@ -2115,7 +2113,6 @@ initialize_dh(SSL_CTX *context, bool isServerStart)
 static bool
 initialize_ecdh(SSL_CTX *context, bool isServerStart)
 {
-#ifndef OPENSSL_NO_ECDH
 	if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1)
 	{
 		/*
@@ -2133,7 +2130,6 @@ initialize_ecdh(SSL_CTX *context, bool isServerStart)
 				errhint("Ensure that each group name is spelled correctly and supported by the installed version of OpenSSL."));
 		return false;
 	}
-#endif

 	return true;
 }
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 617704bb993..86ceea72e64 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -52,7 +52,7 @@ bool		ssl_loaded_verify_locations = false;
 char	   *SSLCipherSuites = NULL;
 char	   *SSLCipherList = NULL;

-/* GUC variable for default ECHD curve. */
+/* GUC variable for default ECDH curve. */
 char	   *SSLECDHCurve;

 /* GUC variable: if false, prefer client ciphers */
-- 
2.39.3 (Apple Git-146)

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Removing broken support for OpenSSL without ECDH
  2026-05-22 18:01 Removing broken support for OpenSSL without ECDH Daniel Gustafsson <daniel@yesql.se>
@ 2026-05-22 18:07 ` Tom Lane <tgl@sss.pgh.pa.us>
  0 siblings, 0 replies; 2+ messages in thread

From: Tom Lane @ 2026-05-22 18:07 UTC (permalink / raw)
  To: Daniel Gustafsson <daniel@yesql.se>; +Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>; Jacob Champion <jacob.champion@enterprisedb.com>

Daniel Gustafsson <daniel@yesql.se> writes:
> That being said, using OpenSSL without ECDH support sounds like an anti-feature
> and not something we want to re-introduce support for, so I propose just
> removing our useless guards as per the attached.  There is clearly no need for
> backpatching, but I propose applying to master as it cleans up the code.

LGTM.

			regards, tom lane






^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2026-05-22 18:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-05-22 18:01 Removing broken support for OpenSSL without ECDH Daniel Gustafsson <daniel@yesql.se>
2026-05-22 18:07 ` Tom Lane <tgl@sss.pgh.pa.us>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox