public inbox for [email protected]
help / color / mirror / Atom feedFrom: Laurenz Albe <[email protected]>
To: xx Z <[email protected]>
Cc: [email protected]
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
Date: Tue, 26 Aug 2025 22:16:39 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com>
References: <CA+aQVjKMYngg0AVHVOcj8veB5yqoA=HCTKe-QQ3q-AovHTB0SQ@mail.gmail.com>
<[email protected]>
<CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com>
On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
I'd say because nobody implemented it, perhaps because nobody felt the need.
> This is still considered a security issue in some cases, and PostgreSQL has
> mature capabilities on the master side to implement this functionality.
That sounds to me like some moderately clueful security auditor is looking
for a nit to pick. If you do streaming replication, and you control the
ciphers on the primary server, what added security benefit do you get by
controlling the ciphers on the standby server (the client) as well?
Yours,
Laurenz Albe
view thread (2+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox