From db93988ab0e78396f2ed9e96c826ff988d12b9f2 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Mon, 16 Feb 2026 15:11:29 +0100
Subject: [PATCH] doc: Add note to ssl_group config on X25519 and FIPS

The X25519 curve is not allowed when OpenSSL is configured for
FIPS mode, so add a note to the documentation that the default
setting must be altered for such setups.

Author: Daniel Gustafsson <daniel@yesql.se>
Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/3521653.1770666093@sss.pgh.pa.us
---
 doc/src/sgml/config.sgml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6bc2690ce07..faf0bdb62aa 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1563,6 +1563,15 @@ include_dir 'conf.d'
         The default is <literal>X25519:prime256v1</literal>.
        </para>
 
+       <note>
+        <para>
+         <literal>X25519</literal> is not allowed when
+         <productname>OpenSSL</productname> is configured for FIPS mode and
+         must be removed from the server configuration when FIPS mode is
+         enabled.
+        </para>
+       </note>
+
        <para>
         <productname>OpenSSL</productname> names for the most common curves
         are:
-- 
2.47.3