Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1ur08q-00Gbth-QL
	for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 20:19:42 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1ur08q-009uSR-89
	for pgsql-general@arkaria.postgresql.org; Tue, 26 Aug 2025 20:19:40 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1ur05y-009pRH-Uw
	for pgsql-general@lists.postgresql.org; Tue, 26 Aug 2025 20:16:43 +0000
Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1ur05x-001tjH-0Y
	for pgsql-general@lists.postgresql.org;
	Tue, 26 Aug 2025 20:16:42 +0000
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-afcb7347e09so1047470766b.0
        for <pgsql-general@lists.postgresql.org>; Tue, 26 Aug 2025 13:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=google; t=1756239400; x=1756844200; darn=lists.postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=npopdNKQswLmET2e9e9ZIsxQy4Vdtb3/ZWlXDgnWwnk=;
        b=lMcXqqZY4XOUGEl7YV/dpyGxcBnnv0Xtzy0kDqKyQz2UxNC83h9ANZO9uAHqrsKKNW
         HsNl+HaD3f55BF4lL36EhR7+76cpuIXzlfei+iXBmtyfbxfwcjjafRxRbO08Aw+VJm/m
         TR4fKA0p4GVSb5T6/dP9VuUFibpYIoYZEW0A2nFUsCncEMTmSBbe3izm15nRDjB5GuhX
         7pRXMmtJB21UBKh9YZJV4GxnS8cmRAH7+LNMX6WUdrpBa59iO4/T0BDjo0I3vlkM1KGN
         YeIhrT22jnEp4t2EMNNairofmMFAKNF0R9cr+8IXrbd/ygqoN353XFqkXPv7OWldyJgp
         1pew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756239400; x=1756844200;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=npopdNKQswLmET2e9e9ZIsxQy4Vdtb3/ZWlXDgnWwnk=;
        b=Z3UAjciDfa7M0FAArYZThXA4X7vjCMjHf0Ldgre1qMgCOp+oFIMFMgpoWhfqcT7Ewa
         Cq8gP6MVp/5mF/iZTz7ChzEUIU+LmvOFdi8hc7a5JP1z1gnukSFHVCZ683Cl13GIt14D
         PoXHl1IU7/3kqZ6bM4XGjz3LZlFhFQD1EcJmgN6dqRGNO4RGn4Ul1nvufPkf/d5heqsh
         AV+RdfWiYorgrRqEn3clS2J8NpFNMZnmuaeIrKjUViQD5HhKoliQjsDDtgkqfrw6rQZg
         5Kad1jugtYs3OWVgCInQ7dGz5Eeos5AV789Btob8WBupQrjyijaf/JpZ8Lm4LYWxJiM+
         0ZWQ==
X-Gm-Message-State: AOJu0YxolodDfaesQCpD+qHrSpi3cXa/Nom7YlUwCWB926EB+VhFdN1N
	Acovnj3TqLK6qkAwA9MgeJTIAprtJ4U3L5FTxVFKSXoRzcPi3UW/ru7ZTwDxCa8/oYMYipqiZEP
	ggke5
X-Gm-Gg: ASbGnctN+y3MFQtJCaseSN0KTkSwLMkU5cTc41ifDyYPFNgC58sGAqcLVPYJKsZaq8m
	hv14p6fmeAaxk7IUjvPFrAR8bOHTFRKSkn8NduBTnw84pkzIvHuhsc2/UeoqpaxIYaJZMJhJO22
	mMwg9thSMiVBtEmCtgp9brbeY2RmXurD3UECl0OkDl0iWQHxe3ogIZhoewAr/eMagLQdhYq3ujC
	Yc6u2sMH6dzk12YXxLilNJsSD4vQdjbkhsVX5Zo+gNW7Un202l/wtKibPe2Cs5a98hl5weseHgO
	68QDWzJe2q5PNII9jRbK6HDHqx/0vAJ0+NDV+iMxQEPh7pUh1r0+3Uo65umKE3WSDdGRCmulZ60
	oHLTDXyT1rp8lX7cC46M1RSPyOYnuMNCyKg8PS8k4EeK5nsCJfFAjN75VA0/NFQ==
X-Google-Smtp-Source: AGHT+IEWUvp7jJciaPLJ5lhpPpwvaJtJNx0n+E5M2Vyo4r+E834NnQEK+xsXqxgu18p4pgxkrgASxA==
X-Received: by 2002:a17:907:86a7:b0:ade:4593:d7cd with SMTP id a640c23a62f3a-afe28f85827mr1522973966b.13.1756239400167;
        Tue, 26 Aug 2025 13:16:40 -0700 (PDT)
Received: from laurenz.albe-K4N0CV00F97414D ([2001:871:255:30a:2403:9037:2d08:c2c])
        by smtp.gmail.com with ESMTPSA id a640c23a62f3a-afe79b08cfasm562699566b.101.2025.08.26.13.16.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Aug 2025 13:16:39 -0700 (PDT)
Message-ID: <a38653565ad81ced7480f810bbe02918c5ee6cbf.camel@cybertec.at>
Subject: Re: How to configure client-side TLS ciphers for streaming
 replication?
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: xx Z <xxz030811@gmail.com>
Cc: pgsql-general@lists.postgresql.org
Date: Tue, 26 Aug 2025 22:16:39 +0200
In-Reply-To: <CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com>
References: 
	<CA+aQVjKMYngg0AVHVOcj8veB5yqoA=HCTKe-QQ3q-AovHTB0SQ@mail.gmail.com>
	 <743186f112b705eb80ba1d03fc2b41f35356dc5e.camel@cybertec.at>
	 <CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) 
MIME-Version: 1.0
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/a38653565ad81ced7480f810bbe02918c5ee6cbf.camel%40cybertec.at>
Precedence: bulk

On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client sid=
e.

I'd say because nobody implemented it, perhaps because nobody felt the need=
.

> This is still considered a security issue in some cases, and PostgreSQL h=
as
> mature capabilities on the master side to implement this functionality.

That sounds to me like some moderately clueful security auditor is looking
for a nit to pick.  If you do streaming replication, and you control the
ciphers on the primary server, what added security benefit do you get by
controlling the ciphers on the standby server (the client) as well?

Yours,
Laurenz Albe