Обсуждение: How to configure client-side TLS ciphers for streaming replication?

Поиск
Список
Период
Сортировка

How to configure client-side TLS ciphers for streaming replication?

От
xx Z
Дата:
Hello,
Is there a way for a streaming replication standby (client) to restrict its list of supported TLS ciphers, similar to how the ssl_ciphers parameter works on the primary server?
We need this for security compliance but can't find an equivalent setting for the client-side connection in primary_conninfo.
Thanks,

Re: How to configure client-side TLS ciphers for streaming replication?

От
Laurenz Albe
Дата:
On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
> Is there a way for a streaming replication standby (client) to restrict its list
> of supported TLS ciphers, similar to how the ssl_ciphers parameter works on the
> primary server?
> We need this for security compliance but can't find an equivalent setting for
> the client-side connection in primary_conninfo.

I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it should
be sufficient to set "ssl_siphers" there.

Yours,
Laurenz Albe

Re: How to configure client-side TLS ciphers for streaming replication?

От
xx Z
Дата:
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.

Greetings,
Yunfei Zhou

Laurenz Albe <laurenz.albe@cybertec.at>于2025年8月26日 周二20:17写道:
On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
> Is there a way for a streaming replication standby (client) to restrict its list
> of supported TLS ciphers, similar to how the ssl_ciphers parameter works on the
> primary server?
> We need this for security compliance but can't find an equivalent setting for
> the client-side connection in primary_conninfo.

I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it should
be sufficient to set "ssl_siphers" there.

Yours,
Laurenz Albe

Re: How to configure client-side TLS ciphers for streaming replication?

От
Rob Sargent
Дата:

> On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
>
> 
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to
implementthis functionality. 
>
> Greetings,
> Yunfei Zhou
>

What is your attack/exposure scenario?

Re: How to configure client-side TLS ciphers for streaming replication?

От
"DINESH NAIR"
Дата:
Hi ,

Found an article which might be of help, configuring through  HAProxy as a TLS proxy to control cipher suites.

https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default
Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Thanks & Regards

Dinesh Nair


From: Rob Sargent <robjsargent@gmail.com>
Sent: Tuesday, August 26, 2025 7:25 PM
To: Z xx <xxz030811@gmail.com>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
 
[You don't often get email from robjsargent@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.

> On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
>
> 
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
>
> Greetings,
> Yunfei Zhou
>

What is your attack/exposure scenario?



Re: How to configure client-side TLS ciphers for streaming replication?

От
Laurenz Albe
Дата:
On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.

I'd say because nobody implemented it, perhaps because nobody felt the need.

> This is still considered a security issue in some cases, and PostgreSQL has
> mature capabilities on the master side to implement this functionality.

That sounds to me like some moderately clueful security auditor is looking
for a nit to pick.  If you do streaming replication, and you control the
ciphers on the primary server, what added security benefit do you get by
controlling the ciphers on the standby server (the client) as well?

Yours,
Laurenz Albe

Re: How to configure client-side TLS ciphers for streaming replication?

От
Daniel Gustafsson
Дата:
> On 26 Aug 2025, at 22:16, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
>
> On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
>> Thanks for your suggestion.
>> But I still want to know why we can't set "ssl_ciphers" on the client side.
>
> I'd say because nobody implemented it, perhaps because nobody felt the need.

I think the former is a highly likely suspect here.

>> This is still considered a security issue in some cases, and PostgreSQL has
>> mature capabilities on the master side to implement this functionality.
>
> That sounds to me like some moderately clueful security auditor is looking
> for a nit to pick.  If you do streaming replication, and you control the
> ciphers on the primary server, what added security benefit do you get by
> controlling the ciphers on the standby server (the client) as well?

I would place this above nitpicking, but I also don't have a clear idea of an
attack (if I did I'd fix it..).  TLS is riddled with weird cases involving
network middleboxes (usually very enterprisy) so insisting on control isn't
necessarily a bad thing.

--
Daniel Gustafsson