From b362bc0b9db7af7d0321ab859a62fc7543d99b42 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Fri, 22 May 2026 10:40:57 -0700 Subject: [PATCH] Remove incorrect OpenSSL feature guards Commit 316472146 introduced support for ECDH key exchange with an ifdef guard to ensure support in the underlying OpenSSL installation. Commit 10bf4fc2c in OpenSSL removed this guard in 2015 which effectively made our check a no-op. There has been no complaints that this doesn't work and OpenSSL installations without ECDH support are likely very rare, so remove the checks rather than re-implementing support. Also fix a typo introduced in the original commit which had survived till this day. Author: Daniel Gustafsson Discussion: https://postgr.es/m/... --- src/backend/libpq/be-secure-openssl.c | 4 ---- src/backend/libpq/be-secure.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 877851a73cd..f2738c351f9 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -48,9 +48,7 @@ #include #include #include -#ifndef OPENSSL_NO_ECDH #include -#endif #include /* @@ -2115,7 +2113,6 @@ initialize_dh(SSL_CTX *context, bool isServerStart) static bool initialize_ecdh(SSL_CTX *context, bool isServerStart) { -#ifndef OPENSSL_NO_ECDH if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1) { /* @@ -2133,7 +2130,6 @@ initialize_ecdh(SSL_CTX *context, bool isServerStart) errhint("Ensure that each group name is spelled correctly and supported by the installed version of OpenSSL.")); return false; } -#endif return true; } diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 617704bb993..86ceea72e64 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -52,7 +52,7 @@ bool ssl_loaded_verify_locations = false; char *SSLCipherSuites = NULL; char *SSLCipherList = NULL; -/* GUC variable for default ECHD curve. */ +/* GUC variable for default ECDH curve. */ char *SSLECDHCurve; /* GUC variable: if false, prefer client ciphers */ -- 2.39.3 (Apple Git-146)