PG Bug reporting form <noreply@postgresql.org> writes:
> The openssl version that comes with CentOS8 will support both curves.
> And using the curves with the apache for example will work, so it is not an
> OS related problem.
> SSLOpenSSLConfCmd Groups "X448:X25519:secp521r1:secp384r1" will work.
> But try the same curves on postgresql 13 will fail.
> ssl_ecdh_curve = 'X448' or
> ssl_ecdh_curve = 'X25519'
According to the fine manual, the allowed values for ssl_ecdh_curve
on a given system can be found out with "openssl ecparam -list_curves".
When I do that on a RHEL8 or CentOS8 system, I get
$ openssl ecparam -list_curves
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
I have no idea what X448 and X25519 are, but they don't seem
to be known in a default Red Hat installation. It's entirely
possible that the Apache config command you show above is
"working" because it ignores unknown entries. (But I know zip
about Apache, so I might be wrong.)
regards, tom lane