| From: | "DINESH NAIR" <Dinesh_Nair(at)iitmpravartak(dot)net> |
|---|---|
| To: | Rob Sargent <robjsargent(at)gmail(dot)com>, Z xx <xxz030811(at)gmail(dot)com> |
| Cc: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: How to configure client-side TLS ciphers for streaming replication? |
| Date: | 2025-08-26 18:10:06 |
| Message-ID: | PN4P287MB43813EBDE5D319C9C9237AD99C39A@PN4P287MB4381.INDP287.PROD.OUTLOOK.COM |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi ,
Found an article which might be of help, configuring through HAProxy as a TLS proxy to control cipher suites.
https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default
[https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-icon(at)2(dot)png?v=73d79a89bded]<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default>
Can I do this "ssl-default-bind-ciphers no RC4-MD5" - Stack Overflow<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default>
How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ...
stackoverflow.com
Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
Thanks & Regards
Dinesh Nair
________________________________
From: Rob Sargent <robjsargent(at)gmail(dot)com>
Sent: Tuesday, August 26, 2025 7:25 PM
To: Z xx <xxz030811(at)gmail(dot)com>
Cc: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>; pgsql-general(at)lists(dot)postgresql(dot)org <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
[You don't often get email from robjsargent(at)gmail(dot)com(dot) Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.
> On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811(at)gmail(dot)com> wrote:
>
>
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
>
> Greetings,
> Yunfei Zhou
>
What is your attack/exposure scenario?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron Johnson | 2025-08-26 18:43:46 | Re: Feature request: A method to configure client-side TLS ciphers for streaming replication |
| Previous Message | Tom Lane | 2025-08-26 13:57:22 | Re: DISABLE TRIGGER doc wrong? |