> On 20 Feb 2026, at 17:07, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> My concern about the fix you suggest is that we won't be testing the
> same thing that people in the field will be using.
Yes and no. Folks can configure this (and other ssl_* settings) in lots of
different way which are all disjoint from our default.
> I'd rather test the normal configuration
> normally and make people who want to run the test on a FIPS platform
> do something different.
How about a function in Cluster.pm which returns whether the underlying OpenSSL
is using FIPS or not, and if it does we adjust the config to make it not fail
on an unallowed group? That way we can have a CI job that runs with FIPS and
the adjusted test config, and the rest - along with the Buildfarm - runs the
default config.
--
Daniel Gustafsson
