Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqtQt-00EmRd-KJ for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 13:09:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uqtQt-006DfR-2V for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 13:09:51 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqtQs-006DeF-Js for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 13:09:51 +0000 Received: from mail-yw1-x1144.google.com ([2607:f8b0:4864:20::1144]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uqtQq-001qN6-1D for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 13:09:50 +0000 Received: by mail-yw1-x1144.google.com with SMTP id 00721157ae682-71fab75fc97so47076217b3.3 for ; Tue, 26 Aug 2025 06:09:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756213788; x=1756818588; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XYaZLDcfJ4EpfFZ52yN8ql8M7ig6N0mvqjrzXaS1bYc=; b=c3tRW/I5uOfjPHEEeYYnqb/Mn8jJaWRxPr8oAgpglGKKYMvxBta5nP48a/HjXiKT+Y jOR8629TXoUrUTlTZKW9s6zFXPYBP9OUNDKMUyVSx2rDH/l2uXolKYdwI8H4FUwnkFM/ hUm04uCLYSGLMxqF+MTNvqmMDCcfJPd22ZbxJ72mBHDU99wZHfMTgyNiTF3hWrECE1l/ QTuhc3tOvN1of7yDeSjzvI17IIBz7ke6vdLarbPSNheAMfB3JIvyzGGTZnTbojo62VG7 xGgyoYfrfoXwqLUGtLJBg87MK/i4gy7tEt6a0/6wk31yVsraUrwfFoHp+0jZJozU2Xmw kfug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756213788; x=1756818588; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XYaZLDcfJ4EpfFZ52yN8ql8M7ig6N0mvqjrzXaS1bYc=; b=p6zsbAs0sJ2Xx22YxTPqHdOnUj5m+GYNQfue3lEbfXzB9jaGtReMPAOmuY/ZZzwKEq VwGZCE8gqXY8eCCZ/eDfcVzH2xAzNTA4od4+TJJLSEXU/7bj2Nuejh5AU/KARwnmluAk f//djdqTsAGLKgyGPZpshPQPwf1IHtD+BqhDogHBUqw8b59xYbdiU/bMYtRMgs/hHJjM SjdFYAsTSeg58aPTB8iP46JTh/6DbBfhdOZ5Mp9iaJcco3YfgxMNSzRIBeOFNwHcgFU+ opeEBsEPIs9zUtF0/jTZ5HaBeMhAahJFEhs5bUfJrekgrcTaOMDphMVI5huOjPhWzREE rfrA== X-Gm-Message-State: AOJu0YwRprV+3RqE/vluYOYqGljPFRmUyfUugLHfTKIO5Notj6Iy8E3Z QDYRQ1eGhAzYi6EN3ENQu16XvguDJRpgsUvLQLeFKRaEeSw6sR8Swj9zDUgZyGTJ0sL/WoFMwcc /X/WrqdcbYTJXjMbc1B6Eqv9OJAkHMzo= X-Gm-Gg: ASbGncv1SLYnecewoUnviDjzHL2UnnCCIj9Ny4t8Uywm5yzWasF9S6A1jcMDSRWTE0K PXlXkhhW7uV5UKN9b0RRc7wZ+GXUbMWkxPgHa++CSJIAqyDze8hVQ7b41hVB8aW/aZ6bUpy1oB4 4UEXpX1jWFVThnKVBMBpD0VRrYatATQuvBbHmyCYolCKjq+ts9tZiZdnzZ86B2NmuYPfEnnLPmY vkTavB6lHhUAi3eKx4RcbFkuYRthQ== X-Google-Smtp-Source: AGHT+IFIp07hqhBwZUG+joQl4KIiVlnHtB1aZl9IG3Qh/e+GuAy+wUy/FDUZRKBDP0tNFNmYRzOivBawb12qgRuFMD8= X-Received: by 2002:a05:690c:12:b0:71f:c7ae:fb7b with SMTP id 00721157ae682-71fdc3cc349mr152484497b3.34.1756213787990; Tue, 26 Aug 2025 06:09:47 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: xx Z Date: Tue, 26 Aug 2025 21:09:36 +0800 X-Gm-Features: Ac12FXx8GQJ7pT_YWYhARtalS0jnODANkJ6HqKeq-tu4h7Kz7dEVCynRxuHG36g Message-ID: Subject: Re: Feature request: A method to configure client-side TLS ciphers for streaming replication To: Ron Johnson Cc: "pgsql-generallists.postgresql.org" Content-Type: multipart/alternative; boundary="000000000000fba35e063d4462e0" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000fba35e063d4462e0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Thank you for the reply and for the advice about our PostgreSQL version. We will plan to update it. To clarify what I meant by "standby (client)": In a streaming replication setup, the standby server connects to the primary server to receive data. In this specific network connection, the standby acts as the client, and the primary acts as the server. My question is about restrict thr lists of supported TLS ciphers on the standby (the client side of the connection). Regarding my original question, does the latest version of PostgreSQL provide a way to configure the client-side TLS cipher list for the replication connection? If not, are there any discussions or plans to add this feature in the future? Thank you for your help. Best regards, Yunfei Zhou Ron Johnson =E4=BA=8E2025=E5=B9=B48=E6=9C=8826=E6= =97=A5 =E5=91=A8=E4=BA=8C21:00=E5=86=99=E9=81=93=EF=BC=9A > On Tue, Aug 26, 2025 at 3:28=E2=80=AFAM xx Z wrote: > >> Hello PostgreSQL community, >> >> I have a question regarding the configuration of streaming replication. >> >> When setting up streaming replication over TLS, I've noticed that while >> the primary server can restrict its supported encryption algorithms usin= g >> the ssl_ciphers parameter, there doesn't seem to be a corresponding meth= od >> for the standby (client) side of the replication connection. The standby >> appears to use all the default ciphers supported by the system's OpenSSL >> library. >> > > What is a "standby (client)"? > > Postgresql version: 15.2 >> > > That's missing 12 sets (three years) of bug fixes. When using RPM or .de= b > packages, updating takes only a few minutes. > > -- > Death to , and butter sauce. > Don't boil me, I'm still alive. > lobster! > --000000000000fba35e063d4462e0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,
Thank you for the reply and= for the advice about our PostgreSQL version. We will plan to update it.
To clarify what I meant by "standby (client)"= ;: In a streaming replication setup, the standby server connects to the pri= mary server to receive data. In this specific network connection, the stand= by acts as the client, and the primary acts as the server. My question is a= bout restrict thr lists of supported TLS ciphers=C2=A0on the standby (the c= lient side of the connection).
Regarding my original= question, does the latest version of PostgreSQL provide a way to configure= the client-side TLS cipher list for the replication connection? If not, ar= e there any discussions or plans to add this feature in the future?
Thank you for your help.
Best regard= s,
Yunfei Zhou

Ron Johnson= <ronljohnsonjr@gmail.com= >=E4=BA=8E2025=E5=B9=B48=E6=9C=8826=E6=97=A5 =E5=91=A8=E4=BA=8C21:00=E5= =86=99=E9=81=93=EF=BC=9A
On Tue, Aug 26, 2025 at 3:28=E2=80=AFAM xx Z <xxz030811@gmail.com> wrot= e:
Hello PostgreSQL commu= nity,

I have a question regard= ing the configuration of streaming replication.

=
When setting up streaming replication over TLS, I&#= 39;ve noticed that while the primary server can restrict its supported encr= yption algorithms using the ssl_ciphers parameter, there doesn't seem t= o be a corresponding method for the standby (client) side of the replicatio= n connection. The standby appears to use all the default ciphers supported = by the system's OpenSSL library.

= What is=C2=A0a "standby (client)"?

Postgresql version: 15.2
That's missing 12 sets=C2=A0(three years)=C2=A0of bug fixe= s.=C2=A0 When=C2=A0using RPM or .deb packages, updating takes only a few mi= nutes.
--
Death to <Redacted&g= t;, and butter sauce.
Don't boil me, I'm still alive.
<= div><Redacted> lobster!
--000000000000fba35e063d4462e0--