doc: Add note to ssl_group config on X25519 and FIPS

The X25519 curve is not allowed when OpenSSL is configured for
FIPS mode, so add a note to the documentation that the default
setting must be altered for such setups.

Author: Daniel Gustafsson <daniel@yesql.se>
Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/3521653.1770666093@sss.pgh.pa.us

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6bc2690ce078a6da1ad5d304a8e8d210ad89a9e5..faf0bdb62aaceda203048847b473e32ed698e323 100644 (file)
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1563,6 +1563,15 @@ include_dir 'conf.d'
         The default is <literal>X25519:prime256v1</literal>.
        </para>
 
+       <note>
+        <para>
+         <literal>X25519</literal> is not allowed when
+         <productname>OpenSSL</productname> is configured for FIPS mode and
+         must be removed from the server configuration when FIPS mode is
+         enabled.
+        </para>
+       </note>
+
        <para>
         <productname>OpenSSL</productname> names for the most common curves
         are: