Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uqtHF-00Ejaq-Of
	for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 12:59:55 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uqtHF-005zrd-6T
	for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 12:59:53 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1uqtHE-005zrU-RQ
	for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 12:59:53 +0000
Received: from mail-oi1-x233.google.com ([2607:f8b0:4864:20::233])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1uqtHC-001qJ0-31
	for pgsql-general@lists.postgresql.org;
	Tue, 26 Aug 2025 12:59:52 +0000
Received: by mail-oi1-x233.google.com with SMTP id 5614622812f47-435de764e08so3215610b6e.1
        for <pgsql-general@lists.postgresql.org>; Tue, 26 Aug 2025 05:59:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756213191; x=1756817991; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=wOU6VhBvBFGkjQNsS1GBXPCbaDVkv9jlpYUd9MTxyj8=;
        b=T0T51+//DJOGckbXUCraOFD0TNRaxNk4Y9DHHtVnWHVAne29QAJ3q2eSnzlWlRn3TG
         knE1Kg6mqGzcWpxMpIyUGj+V8v8dEvjjnpzmUwlsA6kt/0hZtxEsHyYK9p71C8HIHg7g
         aBwKcN9HhIAxbnNmBXj531gOC7N06+Pg7tJuHzpGKkNmTg7XbUzMM9YI9TgYMMRl5Nmo
         fcofUU7Y7toizEtwBgMELbXN00o1R7WPhaQt4tMhf544jg598M5OjX2Dcul5oG34KjF9
         zXSLB4qNDbGhDZdk06DePd+h4rvE9QN1iMeLB/rWKENcEZsgp1/IK9UT2OfI+yA6eZs2
         nN4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756213191; x=1756817991;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=wOU6VhBvBFGkjQNsS1GBXPCbaDVkv9jlpYUd9MTxyj8=;
        b=OlpnMtyKdPe2QnFwUACgTo0XJX/3eePLifr7l/ujpaGFR01Fa4PIM8SJLsR9W6pU1D
         U+m20yrxhJytm3orr4rgcVYG1gNvbrucfouOl1oKwLU2v/5ZjPZwfSYWu/CLPTzUzefC
         JG11TkD2bK4BI49jUqyTjA9Jg1bRlU+4wRbcxmO+3xJHJl3kALDP9JW/yzQ01h7A3v+/
         wZmvvFkWcDnnlFh4OGK6HDE+dQYGt84jbtX2gT7UnLjijxfT/iJZ60g1BDbAvZizbrSV
         8/8zs6zQRZZOJcqSRfF4barR0a77nBszaKi4WDRqLM5N38G4V+i3qwIH7vHvPABStrjP
         uFgw==
X-Gm-Message-State: AOJu0Ywoa09takUO8FQgewN1DM2mK8vTV/QIQ1/tEZu72+5i435shXRU
	DMJLUY4Kv7BWjJRFo6S1/19exF2F8wIiLyUit0YlXz8lRgN4MZlwSDjbWVp2NNebz/be7oyKi+Q
	Xh4iSi8PSa6iATiXZ7ITM8FjZgB0qeDgKXBUt
X-Gm-Gg: ASbGnctwLHb8iIXiDzJVWEq2y1ie9jfbJ4K61m1u5ixb6bfhDO/2Nrac0VIQJWBuQ1j
	E9Vpug5Ot9V80HH1hH3FXhvMbelUQwz8ZHyM5kSlTPdPLrk6Ry5M67pct3IfnFyyjGss4fp4F0j
	rpqFXJ8U9qfO8I541iG3rQTO3T7SwZn4QHfV6Bdbr/mAzGVlpuL5R8utrU42dpeWpzXlHc+2e0x
	5HYJTbz
X-Google-Smtp-Source: AGHT+IFiAm1h7m/0nrQQJkYGMUDV/kFaajGBCodDt13finxxf82jkr6jL862vGhV2TJI8eAmbatd+fxCIedg2Azh1oI=
X-Received: by 2002:a05:6808:2121:b0:434:af5:4cb3 with SMTP id
 5614622812f47-437851bee30mr8192662b6e.20.1756213190727; Tue, 26 Aug 2025
 05:59:50 -0700 (PDT)
MIME-Version: 1.0
References: <CA+aQVj+i6c=6h3SHMVYwkdVZpyNUm5OnZOz=TnjLXxNpHKj75w@mail.gmail.com>
In-Reply-To: <CA+aQVj+i6c=6h3SHMVYwkdVZpyNUm5OnZOz=TnjLXxNpHKj75w@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Tue, 26 Aug 2025 08:59:39 -0400
X-Gm-Features: Ac12FXxCFf8k-Z9-318DJWpmJDlWQnXSbKz75yehCqKIXHe4E-iKncLe0nTTGp4
Message-ID: <CANzqJaBirEU9ZNZdSSPKRW7Hm9LrXCYOcH62=bppzOr6-AvGVg@mail.gmail.com>
Subject: Re: Feature request: A method to configure client-side TLS ciphers
 for streaming replication
To: "pgsql-generallists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000621b21063d443f44"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaBirEU9ZNZdSSPKRW7Hm9LrXCYOcH62%3DbppzOr6-AvGVg%40mail.gmail.com>
Precedence: bulk

--000000000000621b21063d443f44
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 26, 2025 at 3:28=E2=80=AFAM xx Z <xxz030811@gmail.com> wrote:

> Hello PostgreSQL community,
>
> I have a question regarding the configuration of streaming replication.
>
> When setting up streaming replication over TLS, I've noticed that while
> the primary server can restrict its supported encryption algorithms using
> the ssl_ciphers parameter, there doesn't seem to be a corresponding metho=
d
> for the standby (client) side of the replication connection. The standby
> appears to use all the default ciphers supported by the system's OpenSSL
> library.
>

What is a "standby (client)"?

Postgresql version: 15.2
>

That's missing 12 sets (three years) of bug fixes.  When using RPM or .deb
packages, updating takes only a few minutes.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--000000000000621b21063d443f44
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Aug 26, 2025 at 3:28=E2=80=AFAM x=
x Z &lt;<a href=3D"mailto:xxz030811@gmail.com">xxz030811@gmail.com</a>&gt; =
wrote:</div><div class=3D"gmail_quote gmail_quote_container"><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex">Hello PostgreSQL community,<div dir=3D"=
auto"><br></div><div dir=3D"auto">I have a question regarding the configura=
tion of streaming replication.</div><div dir=3D"auto"><br></div><div dir=3D=
"auto">When setting up streaming replication over TLS, I&#39;ve noticed tha=
t while the primary server can restrict its supported encryption algorithms=
 using the ssl_ciphers parameter, there doesn&#39;t seem to be a correspond=
ing method for the standby (client) side of the replication connection. The=
 standby appears to use all the default ciphers supported by the system&#39=
;s OpenSSL library.</div></blockquote><div><br></div><div>What is=C2=A0a &q=
uot;standby (client)&quot;?</div><div><br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex"><div dir=3D"auto">Postgresql version: 15.2</div></bl=
ockquote><div><br></div><div>That&#39;s missing 12 sets=C2=A0(three years)=
=C2=A0of bug fixes.=C2=A0 When=C2=A0using RPM or .deb packages, updating ta=
kes only a few minutes.</div><div><br></div></div><span class=3D"gmail_sign=
ature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"><div=
 dir=3D"ltr">Death to &lt;Redacted&gt;, and butter sauce.<div>Don&#39;t boi=
l me, I&#39;m still alive.<br><div><div>&lt;Redacted&gt; lobster!</div></di=
v></div></div></div></div>

--000000000000621b21063d443f44--