Specifies the named group to use for TLS key exchange.
At a glance
| Property | Value |
|---|---|
| Parameter | ssl_groups |
| Category | Connections and Authentication |
| Default | X25519:prime256v1 |
| Value type | string |
| Change scope | Reload (postgresql.conf, SIGHUP) |
| Available in | PostgreSQL 18, 19 (added in 18) |
What it does
Specifies the named group to use for TLS key exchange. It needs to be supported by all clients that connect. Multiple groups can be specified by using a colon-separated list. It does not need to match the key type used by the server certificate. This parameter can only be set in the postgresql.conf file or on the server command line. The default is X25519:prime256v1.
X25519 is not allowed when OpenSSL is configured for FIPS mode and must be removed from the server configuration when FIPS mode is enabled.
(Description quoted from the official PostgreSQL documentation.)
How to apply a change
Set it in postgresql.conf (or with ALTER SYSTEM) and reload with SELECT pg_reload_conf(); or pg_ctl reload — no restart needed.
Inspect the current value and source with SHOW ssl_groups; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'ssl_groups';.
Tuning guidance
This is a connectivity or security setting, not a performance knob. Choose the value from your security and network requirements (TLS files, ciphers, keepalives, authentication behaviour) rather than for throughput, and verify it against your organization’s policy. Test changes in staging, because a wrong value here can lock clients out.