The following bug has been logged on the website:
Bug reference: 19050
Logged by: Tommi Pakarinen
Email address: tommi.pakarinen@gmail.com
PostgreSQL version: 17.6
Operating system: Rocky Linux 10.0 (x86_64)
Description:
When Ed25519 certificate is configured on PG server, I'm able to connect
with a Java client. Also, openssl and sslscan were able make connection and
show certificate details. Still CLI tool (psql) does not work with it and
refuses to connect.
Example:
$ PGPASSWORD='examplePassword' psql --username 'exampleUser'
'host=postgres.example.com port=5432 dbname=exampledb sslmode=require' -c
"select 1"
psql: error: connection to server at "postgres.example.com" (192.0.2.10),
port 5432 failed: could not find digest for NID UNDEF
I'm aware that disabling channel_binding makes psql to work, but that has
some security implications.
It's been mentioned on an archived thread,
https://www.postgresql.org/message-id/flat/17760-b6c61e752ec07060%40postgresql.org,
that this could have something to do with openssl, but any openssl 3 version
should be recent enough to handle Ed25519.
Any chance to get psql working out of the box with Ed25519 TLS certificates?
Works as a client:
$ sslscan --version
2.1.5-static
OpenSSL 3.0.15 3 Sep 2024
$ openssl version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
$ java -version
openjdk version "17.0.16" 2025-07-15 OpenJDK Runtime Environment
Temurin-17.0.16+8 (build 17.0.16+8) OpenJDK 64-Bit Server VM
Temurin-17.0.16+8 (build 17.0.16+8, mixed mode, sharing)
$ java -jar postgresql-42.7.7.jar | grep ^PostgreSQL PostgreSQL JDBC Driver
42.7.7
Does not work (by default):
$ psql --version
psql (PostgreSQL) 17.6
