Re: How to configure client-side TLS ciphers for streaming replication?
xx Z <xxz030811@gmail.com>
From: xx Z <xxz030811@gmail.com>
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: pgsql-general@lists.postgresql.org
Date: 2025-08-26T12:34:59Z
Lists: pgsql-general
Thanks for your suggestion. But I still want to know why we can't set "ssl_ciphers" on the client side. This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality. Greetings, Yunfei Zhou Laurenz Albe <laurenz.albe@cybertec.at>于2025年8月26日 周二20:17写道: > On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote: > > Is there a way for a streaming replication standby (client) to restrict > its list > > of supported TLS ciphers, similar to how the ssl_ciphers parameter works > on the > > primary server? > > We need this for security compliance but can't find an equivalent > setting for > > the client-side connection in primary_conninfo. > > I don't think that there is a way to do that on the client side. > But the streaming replication primary is surely under your control, so it > should > be sufficient to set "ssl_siphers" there. > > Yours, > Laurenz Albe >