Обсуждение: Feature request: A method to configure client-side TLS ciphers for streaming replication
Hello PostgreSQL community,
I have a question regarding the configuration of streaming replication.
When setting up streaming replication over TLS, I've noticed that while the primary server can restrict its supported encryption algorithms using the ssl_ciphers parameter, there doesn't seem to be a corresponding method for the standby (client) side of the replication connection. The standby appears to use all the default ciphers supported by the system's OpenSSL library.
For security compliance, we need to restrict the ciphers used by the client. Is there a way to configure the list of supported TLS ciphers on the standby for the replication connection?
If this functionality does not currently exist, I would like to request it as a new feature. It would be very helpful to have a connection parameter in primary_conninfo to specify the client-side cipher list.
Postgresql version: 15.2
Thank you for your time and consideration.
Best regards,
Yunfei Zhou
xx Z <xxz030811@gmail.com> writes:
> For security compliance, we need to restrict the ciphers used by the
> client. Is there a way to configure the list of supported TLS ciphers on
> the standby for the replication connection?
No. It's not really apparent to me why the client would have stronger
needs for this than the server does, so I don't see why the existing
server-side options aren't sufficient.
(For that matter, if you have system-level security specifications
to meet, why would you not alter the system-wide OpenSSL configuration
on the client's host?)
regards, tom lane
Re: Feature request: A method to configure client-side TLS ciphers for streaming replication
От
Andres Freund
Дата:
Hi, On 2025-08-26 10:09:56 -0400, Tom Lane wrote: > xx Z <xxz030811@gmail.com> writes: > > For security compliance, we need to restrict the ciphers used by the > > client. Is there a way to configure the list of supported TLS ciphers on > > the standby for the replication connection? > > No. It's not really apparent to me why the client would have stronger > needs for this than the server does, so I don't see why the existing > server-side options aren't sufficient. If the used cipher is too weak, it makes it easier for a malicious server to inject itself, pretending to be the real server. The settings on the real server don't take effect in that case. Greetings, Andres Freund
Re: Feature request: A method to configure client-side TLS ciphers for streaming replication
От
Jacob Champion
Дата:
On Tue, Aug 26, 2025 at 7:10 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > (For that matter, if you have system-level security specifications > to meet, why would you not alter the system-wide OpenSSL configuration > on the client's host?) There is that, or you can maybe use OPENSSL_CONF for more granularity. (But I'm beginning to think we should support named configuration sections [1] of openssl.conf, in both the client and the server, to make this a bit easier.) --Jacob [1] https://docs.openssl.org/1.1.1/man3/SSL_CTX_config/