Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uqsbn-00EYUV-4k
	for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 12:17:04 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uqsbm-005b6E-JK
	for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 12:17:03 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1uqsbm-005b66-7V
	for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 12:17:02 +0000
Received: from mail-ed1-x52c.google.com ([2a00:1450:4864:20::52c])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1uqsbk-001wse-2E
	for pgsql-general@lists.postgresql.org;
	Tue, 26 Aug 2025 12:17:02 +0000
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-61c51f56fc7so3060236a12.1
        for <pgsql-general@lists.postgresql.org>; Tue, 26 Aug 2025 05:17:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=google; t=1756210619; x=1756815419; darn=lists.postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tNsScn4JtaWM1scR2LHEocfZat35X0a84N0RUlZG5DM=;
        b=Y8aHqF9EE/aWrfuYKicmPKqHeFvMk9Tc0JWqf3Xvur3ahqKzcmj82kMplOK03FrzYf
         wlWo4rI7HC48b7RmG/n5nxrp7QXTttkWi5Gsfj6XDzTUIsGzsSR0ABSikvajGA16NX6I
         oKKPYFBaxjwIurdFEtBu6DTi73RohhChB1I5b/QDl4usZ6w1VeBFvtDY7WlWOPqfbQ+I
         bDX6TVoJ/S0ChP8bQPsF3+YSuOwNNallz7g4+3wDkcEtEEjVFrCOnzyIm4u5Lslx0pxp
         soeH66cWwDb6O/P3la5PAxPvYGP0LIrKD7xxhBwt+uTsUEm0bT+tOGVq8B7mkWOaB8tH
         R1fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756210619; x=1756815419;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=tNsScn4JtaWM1scR2LHEocfZat35X0a84N0RUlZG5DM=;
        b=BPpEctHG4yZp5Gd9QvcJvdOsMmKHtiaf/HZyTnWeP6prTi1pV28QsCuy207EBUb5RD
         d5xrmGCsMeYnjWrSNGnnqu1yv9vAWn1Y9gLUt9H4a3VWF+INgc/wnpLtdyO83tAmZsUh
         AYzIJjo9hTnGewXhj/Lnag0M9b1RRUNqTelDCY+SuOTIR5bnIGux76kaPJGFus/5L46/
         9/NyAtijeBvD7RYItN7bvDA8d9yAUGzb07UBrMYMzbX3vw7I12pfOlyVlaPoirLnj76p
         Nf5MRpXASa/J/koWeIclnfm77qwFiznK/nodVGsL9Kjm3yx5iKv+J+CcoBUNGBhHPd27
         yxcw==
X-Forwarded-Encrypted: i=1; AJvYcCWayOppuvHA7T/1BGfeBxtrR7n7Auyz+9QiMestjNrviAXGbTFpzEWRQSC0pqtDU4qvniKMb4aUs3PW4aY0@lists.postgresql.org
X-Gm-Message-State: AOJu0Yz13/pvoNn/KBu1eEpYgNHYvBEeFCsjcMVCqyyu8kFhdHs+21L9
	Vnj628XNbQ+4HTldm/K/LLZCJ2mYo7uFaSo31eQ3n6BryQ3cHwAUmobYRPVPfCqu/7O1QxzhhUI
	koxhXVR4=
X-Gm-Gg: ASbGncuGF1MRJxSPKp95phg18tjg8ucwgRPpIL/tzN8z3Id+FuTyBEXsKKsMPfWkxhZ
	JvxUPMha8oII0SaP4o4HVzF3pP4phNKeuxd5jMF4lun9xZgtvGWep3FmSBfhelRWXo33ZNujaex
	X9JqRkpayMhy/A6l3kd7s2RSF5IWoDkv89S07caq+eNiw+0B4ro4tJyg67qSMpphs3/RaEpMuMU
	xjtkQf8Z2fQiEvrxeKFmHXUHpLHSyGMAlBs0RbL3+ZiSq1wk2VtlcCIbQpDAE9GJpspknOHjxDN
	ihnA/nosoM8YaAYhtYqBdXA3JuXMKKFNBXUTtnwFBXleovsD869LPuezXD5dluNZBBnpKL3Kn30
	VD0r+NMc1ZjW8lJitnuBbnJgaowz0AFpL8+c80Ei/k/hRZFnvXQo=
X-Google-Smtp-Source: AGHT+IEgfMh/cx6idg4OWFhgBtsDY0Z7B/6XRTvKprpv3B8rnUYiuUp5qBX0VP+ZwDnPV9O5kzYPog==
X-Received: by 2002:a17:907:2d28:b0:afe:ae6c:411c with SMTP id a640c23a62f3a-afeae6c4690mr146812566b.64.1756210619338;
        Tue, 26 Aug 2025 05:16:59 -0700 (PDT)
Received: from laurenz.albe-K4N0CV00F97414D ([88.116.133.170])
        by smtp.gmail.com with ESMTPSA id a640c23a62f3a-afe7d5553c3sm443041666b.76.2025.08.26.05.16.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Aug 2025 05:16:59 -0700 (PDT)
Message-ID: <743186f112b705eb80ba1d03fc2b41f35356dc5e.camel@cybertec.at>
Subject: Re: How to configure client-side TLS ciphers for streaming
 replication?
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: xx Z <xxz030811@gmail.com>, pgsql-general@lists.postgresql.org
Date: Tue, 26 Aug 2025 14:16:58 +0200
In-Reply-To: <CA+aQVjKMYngg0AVHVOcj8veB5yqoA=HCTKe-QQ3q-AovHTB0SQ@mail.gmail.com>
References: 
	<CA+aQVjKMYngg0AVHVOcj8veB5yqoA=HCTKe-QQ3q-AovHTB0SQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) 
MIME-Version: 1.0
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/743186f112b705eb80ba1d03fc2b41f35356dc5e.camel%40cybertec.at>
Precedence: bulk

On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
> Is there a way for a streaming replication standby (client) to restrict i=
ts list
> of supported TLS ciphers, similar to how the ssl_ciphers parameter works =
on the
> primary server?
> We need this for security compliance but can't find an equivalent setting=
 for
> the client-side connection in primary_conninfo.

I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it s=
hould
be sufficient to set "ssl_siphers" there.

Yours,
Laurenz Albe