Re: How to configure client-side TLS ciphers for streaming replication?
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: xx Z <xxz030811@gmail.com>,
pgsql-general@lists.postgresql.org
Date: 2025-08-27T19:59:18Z
Lists: pgsql-general
> On 26 Aug 2025, at 22:16, Laurenz Albe <laurenz.albe@cybertec.at> wrote: > > On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote: >> Thanks for your suggestion. >> But I still want to know why we can't set "ssl_ciphers" on the client side. > > I'd say because nobody implemented it, perhaps because nobody felt the need. I think the former is a highly likely suspect here. >> This is still considered a security issue in some cases, and PostgreSQL has >> mature capabilities on the master side to implement this functionality. > > That sounds to me like some moderately clueful security auditor is looking > for a nit to pick. If you do streaming replication, and you control the > ciphers on the primary server, what added security benefit do you get by > controlling the ciphers on the standby server (the client) as well? I would place this above nitpicking, but I also don't have a clear idea of an attack (if I did I'd fix it..). TLS is riddled with weird cases involving network middleboxes (usually very enterprisy) so insisting on control isn't necessarily a bad thing. -- Daniel Gustafsson