Re: Feature request: A method to configure client-side TLS ciphers for streaming replication

From: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: xx Z <xxz030811(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Feature request: A method to configure client-side TLS ciphers for streaming replication
Date: 2025-08-26 15:14:59
Message-ID: CAOYmi+k8Q6y8W4PoQobi+FK9QNnzvOcYr=7O7=sc-PbCET-DnA@mail.gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Aug 26, 2025 at 7:10 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> (For that matter, if you have system-level security specifications
> to meet, why would you not alter the system-wide OpenSSL configuration
> on the client's host?)

There is that, or you can maybe use OPENSSL_CONF for more granularity.
(But I'm beginning to think we should support named configuration
sections [1] of openssl.conf, in both the client and the server, to
make this a bit easier.)

--Jacob

[1] https://docs.openssl.org/1.1.1/man3/SSL_CTX_config/

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Banck 2025-08-26 15:17:28 Re: Dead code in ps_status.c
Previous Message Andres Freund 2025-08-26 15:08:40 Re: Feature request: A method to configure client-side TLS ciphers for streaming replication