Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1urMIv-004qAm-Uu
	for pgsql-general@arkaria.postgresql.org; Wed, 27 Aug 2025 19:59:35 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1urMIv-00HLuq-66
	for pgsql-general@arkaria.postgresql.org; Wed, 27 Aug 2025 19:59:33 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <daniel@yesql.se>)
	id 1urMIu-00HLtt-R3
	for pgsql-general@lists.postgresql.org; Wed, 27 Aug 2025 19:59:33 +0000
Received: from smtp.outgoing.loopia.se ([93.188.3.37])
	by makus.postgresql.org with smtp (Exim 4.96)
	(envelope-from <daniel@yesql.se>)
	id 1urMIs-0024OZ-1Y
	for pgsql-general@lists.postgresql.org;
	Wed, 27 Aug 2025 19:59:32 +0000
Received: from s807.loopia.se (localhost [127.0.0.1])
	by s807.loopia.se (Postfix) with ESMTP id 0A07143DBF0
	for <pgsql-general@lists.postgresql.org>; Wed, 27 Aug 2025 21:59:29 +0200 (CEST)
Received: from s980.loopia.se (unknown [172.22.191.6])
	by s807.loopia.se (Postfix) with ESMTP id EFEDF43D2DB;
	Wed, 27 Aug 2025 21:59:28 +0200 (CEST)
Received: from s473.loopia.se (unknown [172.22.191.6])
	by s980.loopia.se (Postfix) with ESMTP id EC9A022016B3;
	Wed, 27 Aug 2025 21:59:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2
 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1] autolearn=disabled
Authentication-Results: s473.loopia.se (amavisd-new); dkim=pass (2048-bit key)
 header.d=yesql.se
Received: from s981.loopia.se ([172.22.191.6])
 by s473.loopia.se (s473.loopia.se [172.22.190.13]) (amavisd-new, port 10024)
 with LMTP id P7ojRttAF-YC; Wed, 27 Aug 2025 21:59:28 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: daniel@yesql.se
X-Loopia-Originating-IP: 89.255.232.236
Received: from smtpclient.apple (customer-89-255-232-236.stosn.net [89.255.232.236])
	(Authenticated sender: daniel@yesql.se)
	by s981.loopia.se (Postfix) with ESMTPSA id 5C3DC22B165C;
	Wed, 27 Aug 2025 21:59:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se;
	s=loopiadkim1707475645; t=1756324768;
	bh=I7dAadedQw+22x8Iq//n1s3GvcrR7woF47jE/sCCG3o=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To;
	b=SaXTuRho62oGVo6IRo78XdXZ0cXLShpWFWqkBgttnWONNhOnmvs1JysOBm4Ky9FBE
	 nPVY78MA7KhYZn6UiFSUIfYSsKg4FMtLuW0QCMuOZOqmOwHUGshXBQQp2riXVeoi9t
	 eju0JVUeo6CoMYoW2riwFIQw1PhiMuZfLuyK00QRwhfQ0rSe69sELC1RmWDsgIdQn8
	 WPlU60+hTB2G7EIXDwrmj1sfCwkBTAEZ++ugmljpwB5I89yC1Lh80NpKllIyXg/e3k
	 0cV0qNyKumvm4098W7cIuJdHy/CZzEo7p5d02knLkK3PaTY73JIBb9TUU2aXvsmnSt
	 D7ODJO7HGbiuA==
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\))
Subject: Re: How to configure client-side TLS ciphers for streaming
 replication?
From: Daniel Gustafsson <daniel@yesql.se>
In-Reply-To: <a38653565ad81ced7480f810bbe02918c5ee6cbf.camel@cybertec.at>
Date: Wed, 27 Aug 2025 21:59:18 +0200
Cc: xx Z <xxz030811@gmail.com>,
 pgsql-general@lists.postgresql.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8611DCDB-C0C7-4080-9E34-97E19E4F8CF5@yesql.se>
References: <CA+aQVjKMYngg0AVHVOcj8veB5yqoA=HCTKe-QQ3q-AovHTB0SQ@mail.gmail.com>
 <743186f112b705eb80ba1d03fc2b41f35356dc5e.camel@cybertec.at>
 <CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com>
 <a38653565ad81ced7480f810bbe02918c5ee6cbf.camel@cybertec.at>
To: Laurenz Albe <laurenz.albe@cybertec.at>
X-Mailer: Apple Mail (2.3776.700.51.11.2)
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/8611DCDB-C0C7-4080-9E34-97E19E4F8CF5%40yesql.se>
Precedence: bulk

> On 26 Aug 2025, at 22:16, Laurenz Albe <laurenz.albe@cybertec.at> =
wrote:
>=20
> On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
>> Thanks for your suggestion.
>> But I still want to know why we can't set "ssl_ciphers" on the client =
side.
>=20
> I'd say because nobody implemented it, perhaps because nobody felt the =
need.

I think the former is a highly likely suspect here.

>> This is still considered a security issue in some cases, and =
PostgreSQL has
>> mature capabilities on the master side to implement this =
functionality.
>=20
> That sounds to me like some moderately clueful security auditor is =
looking
> for a nit to pick.  If you do streaming replication, and you control =
the
> ciphers on the primary server, what added security benefit do you get =
by
> controlling the ciphers on the standby server (the client) as well?

I would place this above nitpicking, but I also don't have a clear idea =
of an
attack (if I did I'd fix it..).  TLS is riddled with weird cases =
involving
network middleboxes (usually very enterprisy) so insisting on control =
isn't
necessarily a bad thing.

--
Daniel Gustafsson