| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | frank(dot)buettner(at)mdc-berlin(dot)de |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #16815: Unable to use the X448 an X25519 elliptic curves. |
| Date: | 2021-01-08 20:46:07 |
| Message-ID: | 338775.1610138767@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> The openssl version that comes with CentOS8 will support both curves.
> And using the curves with the apache for example will work, so it is not an
> OS related problem.
> SSLOpenSSLConfCmd Groups "X448:X25519:secp521r1:secp384r1" will work.
> But try the same curves on postgresql 13 will fail.
> ssl_ecdh_curve = 'X448' or
> ssl_ecdh_curve = 'X25519'
According to the fine manual, the allowed values for ssl_ecdh_curve
on a given system can be found out with "openssl ecparam -list_curves".
When I do that on a RHEL8 or CentOS8 system, I get
$ openssl ecparam -list_curves
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
I have no idea what X448 and X25519 are, but they don't seem
to be known in a default Red Hat installation. It's entirely
possible that the Apache config command you show above is
"working" because it ignores unknown entries. (But I know zip
about Apache, so I might be wrong.)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-01-08 20:57:39 | Re: BUG #16815: Unable to use the X448 an X25519 elliptic curves. |
| Previous Message | Tom Lane | 2021-01-08 17:19:46 | Re: BUG #16814: Invalid memory access on regexp_match with .* and BRE |