Re: BUG #16815: Unable to use the X448 an X25519 elliptic curves.

PG Bug reporting form <noreply@postgresql.org> writes:
> The openssl version that comes with CentOS8 will support both curves.
> And using the curves with the apache for example will work, so it is not an
> OS related problem.
> SSLOpenSSLConfCmd Groups "X448:X25519:secp521r1:secp384r1" will work.
> But try the same curves on postgresql 13 will fail.
> ssl_ecdh_curve  = 'X448' or
> ssl_ecdh_curve  = 'X25519'

According to the fine manual, the allowed values for ssl_ecdh_curve
on a given system can be found out with "openssl ecparam -list_curves".
When I do that on a RHEL8 or CentOS8 system, I get

$ openssl ecparam -list_curves
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

I have no idea what X448 and X25519 are, but they don't seem
to be known in a default Red Hat installation.  It's entirely
possible that the Apache config command you show above is
"working" because it ignores unknown entries.  (But I know zip
about Apache, so I might be wrong.)

            regards, tom lane