Re: How to configure client-side TLS ciphers for streaming replication?

public inbox for [email protected]  
help / color / mirror / Atom feed

Re: How to configure client-side TLS ciphers for streaming replication?
2+ messages / 2 participants
[nested] [flat]

* Re: How to configure client-side TLS ciphers for streaming replication?
@ 2025-08-26 12:16  Laurenz Albe <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Laurenz Albe @ 2025-08-26 12:16 UTC (permalink / raw)
  To: xx Z <[email protected]>; [email protected]

On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
> Is there a way for a streaming replication standby (client) to restrict its list
> of supported TLS ciphers, similar to how the ssl_ciphers parameter works on the
> primary server?
> We need this for security compliance but can't find an equivalent setting for
> the client-side connection in primary_conninfo.

I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it should
be sufficient to set "ssl_siphers" there.

Yours,
Laurenz Albe

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: How to configure client-side TLS ciphers for streaming replication?
@ 2025-08-26 12:34  xx Z <[email protected]>
  parent: Laurenz Albe <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: xx Z @ 2025-08-26 12:34 UTC (permalink / raw)
  To: Laurenz Albe <[email protected]>; +Cc: [email protected]

Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
This is still considered a security issue in some cases, and PostgreSQL has
mature capabilities on the master side to implement this functionality.

Greetings,
Yunfei Zhou

Laurenz Albe <[email protected]>于2025年8月26日 周二20:17写道：

> On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
> > Is there a way for a streaming replication standby (client) to restrict
> its list
> > of supported TLS ciphers, similar to how the ssl_ciphers parameter works
> on the
> > primary server?
> > We need this for security compliance but can't find an equivalent
> setting for
> > the client-side connection in primary_conninfo.
>
> I don't think that there is a way to do that on the client side.
> But the streaming replication primary is surely under your control, so it
> should
> be sufficient to set "ssl_siphers" there.
>
> Yours,
> Laurenz Albe
>

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2025-08-26 12:34 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-08-26 12:16 Re: How to configure client-side TLS ciphers for streaming replication? Laurenz Albe <[email protected]>
2025-08-26 12:34 ` xx Z <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox