| From: | xx Z <xxz030811(at)gmail(dot)com> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: How to configure client-side TLS ciphers for streaming replication? |
| Date: | 2025-08-26 12:34:59 |
| Message-ID: | CA+aQVj+bq9iz-zM+s3F9_bDFGA_oZ41T-dHX=f=mMXhAP87K6w@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
This is still considered a security issue in some cases, and PostgreSQL has
mature capabilities on the master side to implement this functionality.
Greetings,
Yunfei Zhou
Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>于2025年8月26日 周二20:17写道:
> On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
> > Is there a way for a streaming replication standby (client) to restrict
> its list
> > of supported TLS ciphers, similar to how the ssl_ciphers parameter works
> on the
> > primary server?
> > We need this for security compliance but can't find an equivalent
> setting for
> > the client-side connection in primary_conninfo.
>
> I don't think that there is a way to do that on the client side.
> But the streaming replication primary is surely under your control, so it
> should
> be sufficient to set "ssl_siphers" there.
>
> Yours,
> Laurenz Albe
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron Johnson | 2025-08-26 12:53:37 | Re: DISABLE TRIGGER doc wrong? |
| Previous Message | Laurenz Albe | 2025-08-26 12:16:58 | Re: How to configure client-side TLS ciphers for streaming replication? |