BUG #19050: psql: could not find digest for NID UNDEF
The following bug has been logged on the website:
Bug reference: 19050
Logged by: Tommi Pakarinen
Email address: tommi.pakarinen@gmail.com
PostgreSQL version: 17.6
Operating system: Rocky Linux 10.0 (x86_64)
Description:
When Ed25519 certificate is configured on PG server, I'm able to connect
with a Java client. Also, openssl and sslscan were able make connection and
show certificate details. Still CLI tool (psql) does not work with it and
refuses to connect.
Example:
$ PGPASSWORD='examplePassword' psql --username 'exampleUser'
'host=postgres.example.com port=5432 dbname=exampledb sslmode=require' -c
"select 1"
psql: error: connection to server at "postgres.example.com" (192.0.2.10),
port 5432 failed: could not find digest for NID UNDEF
I'm aware that disabling channel_binding makes psql to work, but that has
some security implications.
It's been mentioned on an archived thread,
/messages/by-id/17760-b6c61e752ec07060@postgresql.org,
that this could have something to do with openssl, but any openssl 3 version
should be recent enough to handle Ed25519.
Any chance to get psql working out of the box with Ed25519 TLS certificates?
Works as a client:
$ sslscan --version
2.1.5-static
OpenSSL 3.0.15 3 Sep 2024
$ openssl version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
$ java -version
openjdk version "17.0.16" 2025-07-15 OpenJDK Runtime Environment
Temurin-17.0.16+8 (build 17.0.16+8) OpenJDK 64-Bit Server VM
Temurin-17.0.16+8 (build 17.0.16+8, mixed mode, sharing)
$ java -jar postgresql-42.7.7.jar | grep ^PostgreSQL PostgreSQL JDBC Driver
42.7.7
Does not work (by default):
$ psql --version
psql (PostgreSQL) 17.6
PG Bug reporting form <noreply@postgresql.org> writes:
When Ed25519 certificate is configured on PG server, I'm able to connect
with a Java client. Also, openssl and sslscan were able make connection and
show certificate details. Still CLI tool (psql) does not work with it and
refuses to connect.
This does look similar to the previous discussion about RSA-PSS.
But we fixed that a couple years ago. Are you sure your libpq
is up-to-date? What about the openssl libraries it's bound to?
$ openssl version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
This proves zero about what libpq is using. Applying "ldd"
to psql might be more enlightening.
regards, tom lane
Hi Tom,
Thank you for answering. I've tested psql connection with two hosts, both
yielded the same result (could not find digest for NID UNDEF). Both systems
have recent libpq and libssl. Also, "openssl s_client" shows server
certificate correctly on both hosts.
TEST CLIENT 1: Rocky Linux 9.6 (Blue Onyx) using default repositories
postgresql package provides psql
postgresql-private-libs package provides libpq.so
openssl-libs package provides libssl.so
# dnf list installed postgresql\* openssl-libs
Installed Packages
openssl-libs.x86_64 1:3.2.2-6.el9_5.1
@anaconda
postgresql.x86_64
16.10-1.module+el9.6.0+32421+7c015469 @appstream
postgresql-private-libs.x86_64
16.10-1.module+el9.6.0+32421+7c015469 @appstream
# psql --version
psql (PostgreSQL) 16.10
# file -L $(which psql)
/bin/psql: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=51379c0b69cb45e885655e41f9f4587e20f679b5, for GNU/Linux
3.2.0, stripped
# ldd $(which psql) | grep -E "libpq|ssl"
libpq.so.private16-5 => /lib64/libpq.so.private16-5
(0x00007f69a0bc8000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f69a071a000)
TEST CLIENT 2: Rocky Linux 10.0 (Red Quartz) using repositories from
download.postgresql.org
postgresql17 package provides psql
postgresql17-libs package provides libpq.so
openssl-libs package provides libssl.so
# dnf list installed postgresql\* openssl-libs
Installed Packages
openssl-libs.x86_64
1:3.2.2-16.el10 @anaconda
postgresql17.x86_64
17.6-1PGDG.rhel10 @pgdg17
postgresql17-libs.x86_64
17.6-1PGDG.rhel10 @pgdg17
# psql --version
psql (PostgreSQL) 17.6
# file -L $(which psql)
/bin/psql: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=794e81c0c1669164e24b22872e8224da031b087c, for GNU/Linux
3.2.0, stripped
# ldd /usr/pgsql-17/bin/psql | grep -E "libpq|ssl"
libpq.so.5 => /usr/pgsql-17/lib/libpq.so.5 (0x00007f30e8412000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f30e8050000)
On Thu, Sep 11, 2025 at 6:00 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Show quoted text
PG Bug reporting form <noreply@postgresql.org> writes:
When Ed25519 certificate is configured on PG server, I'm able to connect
with a Java client. Also, openssl and sslscan were able make connectionand
show certificate details. Still CLI tool (psql) does not work with it and
refuses to connect.This does look similar to the previous discussion about RSA-PSS.
But we fixed that a couple years ago. Are you sure your libpq
is up-to-date? What about the openssl libraries it's bound to?$ openssl version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)This proves zero about what libpq is using. Applying "ldd"
to psql might be more enlightening.regards, tom lane