Quick Links

Re: Feature request: A method to configure client-side TLS ciphers for streaming replication

From:	Andres Freund <andres(at)anarazel(dot)de>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	xx Z <xxz030811(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject:	Re: Feature request: A method to configure client-side TLS ciphers for streaming replication
Date:	2025-08-26 15:08:40
Message-ID:	qoun5qig2xospw6mw4swfgwenrlveqb3dyt3a3nbg3obnz6p33@ni5ud3a2iyus
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Hi,

On 2025-08-26 10:09:56 -0400, Tom Lane wrote:
> xx Z <xxz030811(at)gmail(dot)com> writes:
> > For security compliance, we need to restrict the ciphers used by the
> > client. Is there a way to configure the list of supported TLS ciphers on
> > the standby for the replication connection?
>
> No. It's not really apparent to me why the client would have stronger
> needs for this than the server does, so I don't see why the existing
> server-side options aren't sufficient.

If the used cipher is too weak, it makes it easier for a malicious server to
inject itself, pretending to be the real server. The settings on the real
server don't take effect in that case.

Greetings,

Andres Freund

In response to

Re: Feature request: A method to configure client-side TLS ciphers for streaming replication at 2025-08-26 14:09:56 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Jacob Champion	2025-08-26 15:14:59	Re: Feature request: A method to configure client-side TLS ciphers for streaming replication
Previous Message	Tomas Vondra	2025-08-26 15:06:11	Re: index prefetching