Re: How to configure client-side TLS ciphers for streaming replication?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: DINESH  NAIR <[email protected]>
To: Rob Sargent <[email protected]>
To: Z xx <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
Date: Tue, 26 Aug 2025 18:10:06 +0000
Message-ID: <PN4P287MB43813EBDE5D319C9C9237AD99C39A@PN4P287MB4381.INDP287.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <[email protected]>
References: <CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com>
	<[email protected]>

Hi ,

Found an article which might be of help, configuring through  HAProxy as a TLS proxy to control cipher suites.

https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-...
[https://cdn.sstatic.net/Sites/stackoverflow/Img/[email protected]?v=73d79a89bded]<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-...;
Can I do this "ssl-default-bind-ciphers no RC4-MD5" - Stack Overflow<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-...;
How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ...
stackoverflow.com
Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Thanks & Regards

Dinesh Nair

________________________________
From: Rob Sargent <[email protected]>
Sent: Tuesday, August 26, 2025 7:25 PM
To: Z xx <[email protected]>
Cc: Laurenz Albe <[email protected]>; [email protected] <[email protected]>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?

[You don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.

> On Aug 26, 2025, at 5:35 AM, xx Z <[email protected]> wrote:
>
> 
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
>
> Greetings,
> Yunfei Zhou
>

What is your attack/exposure scenario?

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: How to configure client-side TLS ciphers for streaming replication?
  In-Reply-To: <PN4P287MB43813EBDE5D319C9C9237AD99C39A@PN4P287MB4381.INDP287.PROD.OUTLOOK.COM>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox