On Wed, Oct 2, 2024 at 11:33 AM Daniel Gustafsson <dan...@yesql.se> wrote:
> > If I migrate a server to a different machine that doesn't support my
> > groups, I don't know that this would give me enough information to fix
> > the configuration.
>
> Fair point, how about something along the lines of:
>
> + errmsg("ECDH: failed to set curve names specified in ssl_groups: %s",
> + SSLerrmessageExt(ERR_get_error(),
> + _("No valid groups found"))),
Yeah, I think that's enough of a pointer. And then maybe "Failed to
set group names specified in ssl_groups: %s" to get rid of the
lingering ECC references?
> > One nice side effect of the new ssl_groups implementation is that we
> > now support common group aliases. For example, "P-256", "prime256v1",
> > and "secp256r1" can all be specified now, whereas before ony
> > "prime256v1" worked because of how we looked up curves. Is that worth
> > a note in the docs?
>
> Maybe. We have this currently in the manual:
>
> "The full list of available curves can be shown with the command
> <command>openssl ecparam -list_curves</command>. Not all of them are
> usable with <acronym>TLS</acronym> though."
>
> Perhaps we can extend that with a short not on aliases? Got any suggested
> wordings for that if so?
Hm, well, I went down a rabbit hole this afternoon -- OpenSSL has an
open feature request [1] that might eventually document this the right
way. In the meantime, maybe something like...
An incomplete list of available groups can be shown with the
command openssl ecparam -list_curves. Not all of them are usable with
TLS though, and many supported group names and aliases are omitted.
In PostgreSQL versions before 18.0 this setting was named
ssl_ecdh_curve. It only accepted a single value and did not recognize
group aliases at all.
Thanks,
--Jacob
[1] https://github.com/openssl/openssl/issues/17953
