Daniel Gustafsson <[email protected]> writes:
> On 9 Feb 2026, at 20:41, Tom Lane <[email protected]> wrote:
>> I don't object to X25519 being in the default setting, given that it
>> seems to be widely used. But I think we had better (1) document that
>> you need to remove it if you want to run under FIPS, and (2) fix our
>> SSL-using regression tests to not use it. I wonder also if we could
>> find a way to validate the ssl_groups setting in a check_hook.
> Maybe we can create a lightweight throw-away context in a check hook and
> ensure
> the settings work?
Yeah, I was envisioning something like that. The main trick would be
to ensure that we can't error out, but given that we'd mostly be
calling OpenSSL code, ensuring that there's no ereport(ERROR)
shouldn't be too hard.
But I'd counsel getting the easy bits (1) and (2) out of the way
first.
> Are you hacking on it or do you want me to pick it up?
I was not planning to work on that.
regards, tom lane
