Обсуждение: BUG #19050: psql: could not find digest for NID UNDEF
The following bug has been logged on the website: Bug reference: 19050 Logged by: Tommi Pakarinen Email address: tommi.pakarinen@gmail.com PostgreSQL version: 17.6 Operating system: Rocky Linux 10.0 (x86_64) Description: When Ed25519 certificate is configured on PG server, I'm able to connect with a Java client. Also, openssl and sslscan were able make connection and show certificate details. Still CLI tool (psql) does not work with it and refuses to connect. Example: $ PGPASSWORD='examplePassword' psql --username 'exampleUser' 'host=postgres.example.com port=5432 dbname=exampledb sslmode=require' -c "select 1" psql: error: connection to server at "postgres.example.com" (192.0.2.10), port 5432 failed: could not find digest for NID UNDEF I'm aware that disabling channel_binding makes psql to work, but that has some security implications. It's been mentioned on an archived thread, https://www.postgresql.org/message-id/flat/17760-b6c61e752ec07060%40postgresql.org, that this could have something to do with openssl, but any openssl 3 version should be recent enough to handle Ed25519. Any chance to get psql working out of the box with Ed25519 TLS certificates? Works as a client: $ sslscan --version 2.1.5-static OpenSSL 3.0.15 3 Sep 2024 $ openssl version OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024) $ java -version openjdk version "17.0.16" 2025-07-15 OpenJDK Runtime Environment Temurin-17.0.16+8 (build 17.0.16+8) OpenJDK 64-Bit Server VM Temurin-17.0.16+8 (build 17.0.16+8, mixed mode, sharing) $ java -jar postgresql-42.7.7.jar | grep ^PostgreSQL PostgreSQL JDBC Driver 42.7.7 Does not work (by default): $ psql --version psql (PostgreSQL) 17.6
PG Bug reporting form <noreply@postgresql.org> writes:
> When Ed25519 certificate is configured on PG server, I'm able to connect
> with a Java client. Also, openssl and sslscan were able make connection and
> show certificate details. Still CLI tool (psql) does not work with it and
> refuses to connect.
This does look similar to the previous discussion about RSA-PSS.
But we fixed that a couple years ago. Are you sure your libpq
is up-to-date? What about the openssl libraries it's bound to?
> $ openssl version
> OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
This proves zero about what libpq is using. Applying "ldd"
to psql might be more enlightening.
regards, tom lane
Hi Tom,
Thank you for answering. I've tested psql connection with two hosts, both yielded the same result (could not find digest for NID UNDEF). Both systems have recent libpq and libssl. Also, "openssl s_client" shows server certificate correctly on both hosts.
TEST CLIENT 1: Rocky Linux 9.6 (Blue Onyx) using default repositories
postgresql package provides psql
postgresql-private-libs package provides libpq.so
openssl-libs package provides libssl.so
# dnf list installed postgresql\* openssl-libs
Installed Packages
openssl-libs.x86_64 1:3.2.2-6.el9_5.1 @anaconda
postgresql.x86_64 16.10-1.module+el9.6.0+32421+7c015469 @appstream
postgresql-private-libs.x86_64 16.10-1.module+el9.6.0+32421+7c015469 @appstream
# psql --version
psql (PostgreSQL) 16.10
# file -L $(which psql)
/bin/psql: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=51379c0b69cb45e885655e41f9f4587e20f679b5, for GNU/Linux 3.2.0, stripped
# ldd $(which psql) | grep -E "libpq|ssl"
libpq.so.private16-5 => /lib64/libpq.so.private16-5 (0x00007f69a0bc8000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f69a071a000)
TEST CLIENT 2: Rocky Linux 10.0 (Red Quartz) using repositories from download.postgresql.org
postgresql17 package provides psql
postgresql17-libs package provides libpq.so
openssl-libs package provides libssl.so
# dnf list installed postgresql\* openssl-libs
Installed Packages
openssl-libs.x86_64 1:3.2.2-16.el10 @anaconda
postgresql17.x86_64 17.6-1PGDG.rhel10 @pgdg17
postgresql17-libs.x86_64 17.6-1PGDG.rhel10 @pgdg17
# psql --version
psql (PostgreSQL) 17.6
# file -L $(which psql)
/bin/psql: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=794e81c0c1669164e24b22872e8224da031b087c, for GNU/Linux 3.2.0, stripped
# ldd /usr/pgsql-17/bin/psql | grep -E "libpq|ssl"
libpq.so.5 => /usr/pgsql-17/lib/libpq.so.5 (0x00007f30e8412000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f30e8050000)
Thank you for answering. I've tested psql connection with two hosts, both yielded the same result (could not find digest for NID UNDEF). Both systems have recent libpq and libssl. Also, "openssl s_client" shows server certificate correctly on both hosts.
TEST CLIENT 1: Rocky Linux 9.6 (Blue Onyx) using default repositories
postgresql package provides psql
postgresql-private-libs package provides libpq.so
openssl-libs package provides libssl.so
# dnf list installed postgresql\* openssl-libs
Installed Packages
openssl-libs.x86_64 1:3.2.2-6.el9_5.1 @anaconda
postgresql.x86_64 16.10-1.module+el9.6.0+32421+7c015469 @appstream
postgresql-private-libs.x86_64 16.10-1.module+el9.6.0+32421+7c015469 @appstream
# psql --version
psql (PostgreSQL) 16.10
# file -L $(which psql)
/bin/psql: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=51379c0b69cb45e885655e41f9f4587e20f679b5, for GNU/Linux 3.2.0, stripped
# ldd $(which psql) | grep -E "libpq|ssl"
libpq.so.private16-5 => /lib64/libpq.so.private16-5 (0x00007f69a0bc8000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f69a071a000)
TEST CLIENT 2: Rocky Linux 10.0 (Red Quartz) using repositories from download.postgresql.org
postgresql17 package provides psql
postgresql17-libs package provides libpq.so
openssl-libs package provides libssl.so
# dnf list installed postgresql\* openssl-libs
Installed Packages
openssl-libs.x86_64 1:3.2.2-16.el10 @anaconda
postgresql17.x86_64 17.6-1PGDG.rhel10 @pgdg17
postgresql17-libs.x86_64 17.6-1PGDG.rhel10 @pgdg17
# psql --version
psql (PostgreSQL) 17.6
# file -L $(which psql)
/bin/psql: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=794e81c0c1669164e24b22872e8224da031b087c, for GNU/Linux 3.2.0, stripped
# ldd /usr/pgsql-17/bin/psql | grep -E "libpq|ssl"
libpq.so.5 => /usr/pgsql-17/lib/libpq.so.5 (0x00007f30e8412000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f30e8050000)
On Thu, Sep 11, 2025 at 6:00 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
PG Bug reporting form <noreply@postgresql.org> writes:
> When Ed25519 certificate is configured on PG server, I'm able to connect
> with a Java client. Also, openssl and sslscan were able make connection and
> show certificate details. Still CLI tool (psql) does not work with it and
> refuses to connect.
This does look similar to the previous discussion about RSA-PSS.
But we fixed that a couple years ago. Are you sure your libpq
is up-to-date? What about the openssl libraries it's bound to?
> $ openssl version
> OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
This proves zero about what libpq is using. Applying "ldd"
to psql might be more enlightening.
regards, tom lane