From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Mon, 16 Feb 2026 14:11:29 +0000 (+0100)
Subject: doc: Add note to ssl_group config on X25519 and FIPS
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db93988ab0e78396f2ed9e96c826ff988d12b9f2;p=thirdparty%2Fpostgresql.git

doc: Add note to ssl_group config on X25519 and FIPS

The X25519 curve is not allowed when OpenSSL is configured for
FIPS mode, so add a note to the documentation that the default
setting must be altered for such setups.

Author: Daniel Gustafsson <daniel@yesql.se>
Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/3521653.1770666093@sss.pgh.pa.us
---

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6bc2690ce07..faf0bdb62aa 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1563,6 +1563,15 @@ include_dir 'conf.d'
         The default is <literal>X25519:prime256v1</literal>.
        </para>
 
+       <note>
+        <para>
+         <literal>X25519</literal> is not allowed when
+         <productname>OpenSSL</productname> is configured for FIPS mode and
+         must be removed from the server configuration when FIPS mode is
+         enabled.
+        </para>
+       </note>
+
        <para>
         <productname>OpenSSL</productname> names for the most common curves
         are: