Hi, The ssl_groups parameter introduced in Postgres 18 decided to use a short_desc: "Sets the group(s) to use for Diffie-Hellman key exchange" [1]. The documentation still references curves [2].
However, this parameter is just passed through to SSL_CTX_set1_groups_list. This means the parameter readily accepts values like a pure `MLKEM768`, assuming the crypto lib supports it, which is true since OpenSSL 3.5. Yet these Shor-safe groups are not DH key exchange. I think it makes sense to modify the documentation to a more generic one to reflect the capabilities of ssl_groups more accurately, e.g. "Sets the named groups to use for TLS key exchange." A more concrete patch suggestion is attached. Evan [1] https://www.postgresql.org/message-id/D44791DD-0CD9-48A7-9471-60593673A91B%40yesql.se [2] https://www.postgresql.org/docs/18/runtime-config-connection.html#GUC-SSL-GROUPS
0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch
Description: 0001-Clarify-that-ssl_groups-is-for-any-key-exchange-grou.patch
