Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqstP-00Edk1-60 for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 12:35:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uqstO-005m5j-3J for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 12:35:14 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqstN-005m4g-KB for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 12:35:14 +0000 Received: from mail-yb1-xb41.google.com ([2607:f8b0:4864:20::b41]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uqstK-001q8s-1b for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 12:35:13 +0000 Received: by mail-yb1-xb41.google.com with SMTP id 3f1490d57ef6-e96c77b8dc1so1426636276.1 for ; Tue, 26 Aug 2025 05:35:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756211710; x=1756816510; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rm4ec+9nAeUVBbEv5K6Lu5ZpjWUhZsI0OVQnJ859DWk=; b=AM+GkUfI59w0agSfA4ik50ijwFOcFxlGP/dhMNdOSMIGkTLI3rSB6cfYNxGrXrn9XF PeW/hdmrgEQagAt7pOyt9LkEmrkL9ympH/d6izixy0gEKrtdBJnm/2Add4qqRPho0nBW 02jsT9ABZNo+6Uz+/S34GVN7LL50GIifteQcNWMAHPqHh7tATwP2vW4+GqpQr/n/Rav5 4i0yIx/NbXg1D/+Zy9xLUYRUm3R7PFbBsFuBG4V0c13qJaAM5oBdIm+AFMALcldlGKca 7o8R/Z3SNk18yyvDkaFcUHq87esTMQn/AzoXfGRjBDsGIcFhjNmAiuD/YfZEF6OTgSB0 XL7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756211710; x=1756816510; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rm4ec+9nAeUVBbEv5K6Lu5ZpjWUhZsI0OVQnJ859DWk=; b=G3RFCmoXZWemP4YTMeOjezmMSxJy3jq5Q3+f62k2QlJJDr7GYbLiZO9kwtFJoTUmH5 aXouZK2vmSytQz5FpahetGefPQKN9RCfNTfeQsamGbkuI9no/O6+Paiboh7xYwFoyOlp 8CdAUvkB7tL0lxgicz3LrC/xijjKZQNNwCWpxx+U5Krs8TnBNYO6UFJFUXHyu1mRZKAB Iw/v1NLP9mzTg9iMnuAZoItqfFyvby7U3kZNlXvs1Cpt18AF/QXTphsQTkSKIlbJPDrm uNSnG13FcBQRv7SVglasFJ3XCCQup14jQDn0iEIp2QrqngzJ9pOGM9sIRITLdq53EZxZ bFNw== X-Gm-Message-State: AOJu0YwQPS1xRoB1PSiSFGR9LI7J/Rvx8AlYRF0YS9pwBxdw0CYAMzyJ 1d5QgICqDbcVRQVXgmLovdWjWxc4ChGhXiqNjQxV+/iM/tNc4sJNHzXsX5Li+BB/TZq8BSVlNch eUf1kYrp765MlLXlvuGXE5vJiPUvw6Cc= X-Gm-Gg: ASbGncve2oc11LahckIOUI7h7umvt3cbit6Rp0OY+LHTXYFLbTMgTsDijZfizkGcol0 TYnZ017VyHYlMvX9YDc46ynWxSdZT4aTn97k1+rgfTWaUtCtplZRdFd+Wnhzs4N9xa/9kj2xrvo PkBt30maFaoNcPcaVBpviKjhIiX3EZ5mxw93w3FFFYrkYmzGKtVGwrI9f4Z4iHA2hw1BY2HUbKW 8WOhc4B8nMK4IG8Bk4= X-Google-Smtp-Source: AGHT+IHyvbznALEfeflS0jesfg5Q/G6EoNB1JW4gc2UIH1oAtpbUpcks1+2KR9wj5Y5fkpATXMvEEBTl+c/FwEItaZ8= X-Received: by 2002:a05:690c:18:b0:71c:40c9:b0fd with SMTP id 00721157ae682-71fdc3c877dmr181640297b3.30.1756211709995; Tue, 26 Aug 2025 05:35:09 -0700 (PDT) MIME-Version: 1.0 References: <743186f112b705eb80ba1d03fc2b41f35356dc5e.camel@cybertec.at> In-Reply-To: <743186f112b705eb80ba1d03fc2b41f35356dc5e.camel@cybertec.at> From: xx Z Date: Tue, 26 Aug 2025 20:34:59 +0800 X-Gm-Features: Ac12FXxtb0u_GbWyGFAIyQ10v-2j2R5F2to2_pmPvFyqGqvxB9gTU07rLFB4UCw Message-ID: Subject: Re: How to configure client-side TLS ciphers for streaming replication? To: Laurenz Albe Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000001ff75b063d43e791" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000001ff75b063d43e791 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for your suggestion. But I still want to know why we can't set "ssl_ciphers" on the client side. This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality. Greetings, Yunfei Zhou Laurenz Albe =E4=BA=8E2025=E5=B9=B48=E6=9C=8826= =E6=97=A5 =E5=91=A8=E4=BA=8C20:17=E5=86=99=E9=81=93=EF=BC=9A > On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote: > > Is there a way for a streaming replication standby (client) to restrict > its list > > of supported TLS ciphers, similar to how the ssl_ciphers parameter work= s > on the > > primary server? > > We need this for security compliance but can't find an equivalent > setting for > > the client-side connection in primary_conninfo. > > I don't think that there is a way to do that on the client side. > But the streaming replication primary is surely under your control, so it > should > be sufficient to set "ssl_siphers" there. > > Yours, > Laurenz Albe > --0000000000001ff75b063d43e791 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for your suggestion.
But I = still want to know why we can't set "ssl_ciphers" on the clie= nt side.
This is still considered a security issue i= n some cases, and PostgreSQL has mature capabilities on the master side to = implement this functionality.

Greetings,
Yunfei Zhou

Laurenz Albe <laurenz.alb= e@cybertec.at>=E4=BA=8E2025=E5=B9=B48=E6=9C=8826=E6=97=A5 =E5=91=A8= =E4=BA=8C20:17=E5=86=99=E9=81=93=EF=BC=9A
On Tue,= 2025-08-26 at 19:48 +0800, xx Z wrote:
> Is there a way for a streaming replication standby (client) to restric= t its list
> of supported TLS ciphers, similar to how the ssl_ciphers parameter wor= ks on the
> primary server?
> We need this for security compliance but can't find an equivalent = setting for
> the client-side connection in primary_conninfo.

I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it s= hould
be sufficient to set "ssl_siphers" there.

Yours,
Laurenz Albe
--0000000000001ff75b063d43e791--