Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqyeK-00GDf7-0h for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 18:44:05 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uqyeG-008y2S-R4 for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 18:44:01 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqyeG-008y2K-CH for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 18:44:01 +0000 Received: from mail-oo1-xc2b.google.com ([2607:f8b0:4864:20::c2b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uqyeE-001t4j-1Y for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 18:44:00 +0000 Received: by mail-oo1-xc2b.google.com with SMTP id 006d021491bc7-61d99c87e35so1988922eaf.2 for ; Tue, 26 Aug 2025 11:43:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756233838; x=1756838638; darn=lists.postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=x1rhjjXCL6eoVL4lOtKwfZTkGXNX37+ixXNke7z7tlc=; b=cQlLL4DQ/qud12cMoNLNBeHQ2GvagDaVoDv1WBjrrkZ2+frFwSagv+OIAMFM0H+nor AuR8heT2POn1GtH+yuxywbAe7swYPz04tIWBlExTnR3V/Dby/Oryn9pc+m92qFMWdMQ/ bNFgj4yVwohx1wlepJ2xd3SnfaH0/kfm9agiSb+qDsrJi/wiB85yTAoxiFCmekR81DT8 1vQb3WdriMmdyLHCAPPi525656cXYfu/4Ndh12X5kfN6+gd8OZV7d1MdkFTIi9SmVnnF gMEiHrNCZFeToqSvTlUbwn02GB1oNrqiUggXmAvAG6G8LTSXIIKMClT6m/PFq9GeTY+d Qq4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756233838; x=1756838638; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=x1rhjjXCL6eoVL4lOtKwfZTkGXNX37+ixXNke7z7tlc=; b=q3a/jAQkPl5FT0UxsiXJT7pCvXZQ2NrNo1VP3yVyTa0v0SfKeNHs0XqoskP3c5KTUV G78kj8Rpbuqt2iiPQoFPwMKC+6axtw+HjxKSnyDc+ZZDIhMKg/OCtajFAdh7bJQ0xl9S eeyUvzQWK1yKeeSiG+lMptyPKibIvT5kaX8rT0j5j5vxsLPVxmrCuYhnOn68JNrDdZYq n2RvzW4CZH8NHW1szK0037PSiCzlttBIyECPbycBp4Dc69N4/8xAgtX/onvSEz663s2u lQIPVczXnLyUn/dnZ7zNFU77AS+9d6T2SNLk3WFdYcRX0OGs2emvtBR6fC7ojWeVGsyY 410A== X-Gm-Message-State: AOJu0YyAgv/r65mpEOOF6NLlL7xGXS1SCNtNbIwIuM7UYUdUFUZVI+mC d8dvdcAA/ZZkZ9EZZ2Jd5tgb4/9r2jb1HIcpqU0pvPFRXBervtqFAeNViyCS9+epknWIHWd+pfQ cMgP4IBC0mAabxubhCS29kwhbU2gB/XWF+sSP X-Gm-Gg: ASbGncsCAKNSTlOfoqpWkTVLWVZJvE4711euEhvFITD9WUnN1DgU4nSjFewRbxEJaji nNjk9RlqN/YYiRf0qOn93qLrPU4shkzn1LJXIXRkw5QNeiiRTlQ2ptYbDXT+XAzO2xaaw9pl+EZ hq6tDXUaoMP+yI2lQ2adXTUVWqYVfcW8cbByL/5tlHFvtdP+zfrKhLMlo6NvscorBOUT/DtsREx ioE7D8n X-Google-Smtp-Source: AGHT+IEu8tcZT0nfQkdV91lAsf9nEq+6p6Gv2MOAaEjzRnLIckmbGY+D6hJXBGdXSDKgw58ic7YjyL36n3JZASps2x4= X-Received: by 2002:a05:6808:191b:b0:434:884:bbcd with SMTP id 5614622812f47-4378519ef3emr9718593b6e.15.1756233838142; Tue, 26 Aug 2025 11:43:58 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ron Johnson Date: Tue, 26 Aug 2025 14:43:46 -0400 X-Gm-Features: Ac12FXxS13epU7P54ZkjRuAw6pSsMGRsyQuiw9tXDqCEO1SyrZtpE4TOjLdMGn8 Message-ID: Subject: Re: Feature request: A method to configure client-side TLS ciphers for streaming replication To: "pgsql-generallists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000010a932063d490e28" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000010a932063d490e28 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Aug 26, 2025 at 9:09=E2=80=AFAM xx Z wrote: > Hello, > Thank you for the reply and for the advice about our PostgreSQL version. > We will plan to update it. > To clarify what I meant by "standby (client)": In a streaming replication > setup, the standby server connects to the primary server to receive data. > In this specific network connection, the standby acts as the client, and > the primary acts as the server. > I think you are using non-standard terminology. > My question is about restrict thr lists of supported TLS ciphers on the > standby (the client side of the connection). > Regarding my original question, does the latest version of PostgreSQL > provide a way to configure the client-side TLS cipher list for the > replication connection? If not, are there any discussions or plans to add > this feature in the future? > That's the responsibility of your ssl configuration, I think. https://www.postgresql.org/message-id/39BE74F7-903A-467F-AA15-E7062361A8E2%= 40yesql.se > > Ron Johnson =E4=BA=8E2025=E5=B9=B48=E6=9C=8826= =E6=97=A5 =E5=91=A8=E4=BA=8C21:00=E5=86=99=E9=81=93=EF=BC=9A > >> On Tue, Aug 26, 2025 at 3:28=E2=80=AFAM xx Z wrote= : >> >>> Hello PostgreSQL community, >>> >>> I have a question regarding the configuration of streaming replication. >>> >>> When setting up streaming replication over TLS, I've noticed that while >>> the primary server can restrict its supported encryption algorithms usi= ng >>> the ssl_ciphers parameter, there doesn't seem to be a corresponding met= hod >>> for the standby (client) side of the replication connection. The standb= y >>> appears to use all the default ciphers supported by the system's OpenSS= L >>> library. >>> >> >> What is a "standby (client)"? >> >> Postgresql version: 15.2 >>> >> >> That's missing 12 sets (three years) of bug fixes. When using RPM or >> .deb packages, updating takes only a few minutes. >> > --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --00000000000010a932063d490e28 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Aug 26, 2025 at 9:09=E2=80=AFAM x= x Z <xxz030811@gmail.com> = wrote:
Hello,
Thank you for the reply and for the advice about our PostgreSQL v= ersion. We will plan to update it.
To clarify what I= meant by "standby (client)": In a streaming replication setup, t= he standby server connects to the primary server to receive data. In this s= pecific network connection, the standby acts as the client, and the primary= acts as the server.

I think you are= using non-standard terminology.
=C2=A0
My question is about restri= ct thr lists of supported TLS ciphers=C2=A0on the standby (the client side = of the connection).
Regarding my original question, = does the latest version of PostgreSQL provide a way to configure the client= -side TLS cipher list for the replication connection? If not, are there any= discussions or plans to add this feature in the future?
=

That's the responsibility=C2=A0of your ssl configur= ation, I think.


Ron Johnson <ronljohnsonjr@gmail.com>=E4=BA=8E2025=E5= =B9=B48=E6=9C=8826=E6=97=A5 =E5=91=A8=E4=BA=8C21:00=E5=86=99=E9=81=93=EF=BC= =9A


--
Death to <Redacted>, and butter sauce.Don't boil me, I'm still alive.
<Redacted> lobs= ter!
--00000000000010a932063d490e28--