Thread

  1. How to configure client-side TLS ciphers for streaming replication?

    xx Z <xxz030811@gmail.com> — 2025-08-26T11:48:44Z

    Hello,
    Is there a way for a streaming replication standby (client) to restrict its
    list of supported TLS ciphers, similar to how the ssl_ciphers parameter
    works on the primary server?
    We need this for security compliance but can't find an equivalent setting
    for the client-side connection in primary_conninfo.
    Thanks,
    
  2. Re: How to configure client-side TLS ciphers for streaming replication?

    Laurenz Albe <laurenz.albe@cybertec.at> — 2025-08-26T12:16:58Z

    On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
    > Is there a way for a streaming replication standby (client) to restrict its list
    > of supported TLS ciphers, similar to how the ssl_ciphers parameter works on the
    > primary server?
    > We need this for security compliance but can't find an equivalent setting for
    > the client-side connection in primary_conninfo.
    
    I don't think that there is a way to do that on the client side.
    But the streaming replication primary is surely under your control, so it should
    be sufficient to set "ssl_siphers" there.
    
    Yours,
    Laurenz Albe
    
    
    
    
  3. Re: How to configure client-side TLS ciphers for streaming replication?

    xx Z <xxz030811@gmail.com> — 2025-08-26T12:34:59Z

    Thanks for your suggestion.
    But I still want to know why we can't set "ssl_ciphers" on the client side.
    This is still considered a security issue in some cases, and PostgreSQL has
    mature capabilities on the master side to implement this functionality.
    
    Greetings,
    Yunfei Zhou
    
    Laurenz Albe <laurenz.albe@cybertec.at>于2025年8月26日 周二20:17写道:
    
    > On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
    > > Is there a way for a streaming replication standby (client) to restrict
    > its list
    > > of supported TLS ciphers, similar to how the ssl_ciphers parameter works
    > on the
    > > primary server?
    > > We need this for security compliance but can't find an equivalent
    > setting for
    > > the client-side connection in primary_conninfo.
    >
    > I don't think that there is a way to do that on the client side.
    > But the streaming replication primary is surely under your control, so it
    > should
    > be sufficient to set "ssl_siphers" there.
    >
    > Yours,
    > Laurenz Albe
    >
    
  4. Re: How to configure client-side TLS ciphers for streaming replication?

    Rob Sargent <robjsargent@gmail.com> — 2025-08-26T13:55:54Z

    
    > On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
    > 
    > 
    > Thanks for your suggestion.
    > But I still want to know why we can't set "ssl_ciphers" on the client side.
    > This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
    > 
    > Greetings,
    > Yunfei Zhou
    > 
    
    What is your attack/exposure scenario?
    
    
    
    
    
  5. Re: How to configure client-side TLS ciphers for streaming replication?

    DINESH NAIR <dinesh_nair@iitmpravartak.net> — 2025-08-26T18:10:06Z

    Hi ,
    
    Found an article which might be of help, configuring through  HAProxy as a TLS proxy to control cipher suites.
    
    https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default
    [https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-icon@2.png?v=73d79a89bded]<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default>
    Can I do this "ssl-default-bind-ciphers no RC4-MD5" - Stack Overflow<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default>
    How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ...
    stackoverflow.com
    Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
    
    
    Thanks & Regards
    
    Dinesh Nair
    
    
    ________________________________
    From: Rob Sargent <robjsargent@gmail.com>
    Sent: Tuesday, August 26, 2025 7:25 PM
    To: Z xx <xxz030811@gmail.com>
    Cc: Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
    Subject: Re: How to configure client-side TLS ciphers for streaming replication?
    
    [You don't often get email from robjsargent@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
    
    Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.
    
    > On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
    >
    > 
    > Thanks for your suggestion.
    > But I still want to know why we can't set "ssl_ciphers" on the client side.
    > This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
    >
    > Greetings,
    > Yunfei Zhou
    >
    
    What is your attack/exposure scenario?
    
    
    
    
  6. Re: How to configure client-side TLS ciphers for streaming replication?

    Laurenz Albe <laurenz.albe@cybertec.at> — 2025-08-26T20:16:39Z

    On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
    > Thanks for your suggestion.
    > But I still want to know why we can't set "ssl_ciphers" on the client side.
    
    I'd say because nobody implemented it, perhaps because nobody felt the need.
    
    > This is still considered a security issue in some cases, and PostgreSQL has
    > mature capabilities on the master side to implement this functionality.
    
    That sounds to me like some moderately clueful security auditor is looking
    for a nit to pick.  If you do streaming replication, and you control the
    ciphers on the primary server, what added security benefit do you get by
    controlling the ciphers on the standby server (the client) as well?
    
    Yours,
    Laurenz Albe
    
    
    
    
  7. Re: How to configure client-side TLS ciphers for streaming replication?

    Daniel Gustafsson <daniel@yesql.se> — 2025-08-27T19:59:18Z

    > On 26 Aug 2025, at 22:16, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
    > 
    > On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
    >> Thanks for your suggestion.
    >> But I still want to know why we can't set "ssl_ciphers" on the client side.
    > 
    > I'd say because nobody implemented it, perhaps because nobody felt the need.
    
    I think the former is a highly likely suspect here.
    
    >> This is still considered a security issue in some cases, and PostgreSQL has
    >> mature capabilities on the master side to implement this functionality.
    > 
    > That sounds to me like some moderately clueful security auditor is looking
    > for a nit to pick.  If you do streaming replication, and you control the
    > ciphers on the primary server, what added security benefit do you get by
    > controlling the ciphers on the standby server (the client) as well?
    
    I would place this above nitpicking, but I also don't have a clear idea of an
    attack (if I did I'd fix it..).  TLS is riddled with weird cases involving
    network middleboxes (usually very enterprisy) so insisting on control isn't
    necessarily a bad thing.
    
    --
    Daniel Gustafsson