How to configure client-side TLS ciphers for streaming replication?
Hello,
Is there a way for a streaming replication standby (client) to restrict its
list of supported TLS ciphers, similar to how the ssl_ciphers parameter
works on the primary server?
We need this for security compliance but can't find an equivalent setting
for the client-side connection in primary_conninfo.
Thanks,
On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
Is there a way for a streaming replication standby (client) to restrict its list
of supported TLS ciphers, similar to how the ssl_ciphers parameter works on the
primary server?
We need this for security compliance but can't find an equivalent setting for
the client-side connection in primary_conninfo.
I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it should
be sufficient to set "ssl_siphers" there.
Yours,
Laurenz Albe
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
This is still considered a security issue in some cases, and PostgreSQL has
mature capabilities on the master side to implement this functionality.
Greetings,
Yunfei Zhou
Laurenz Albe <laurenz.albe@cybertec.at>于2025年8月26日 周二20:17写道:
Show quoted text
On Tue, 2025-08-26 at 19:48 +0800, xx Z wrote:
Is there a way for a streaming replication standby (client) to restrict
its list
of supported TLS ciphers, similar to how the ssl_ciphers parameter works
on the
primary server?
We need this for security compliance but can't find an equivalentsetting for
the client-side connection in primary_conninfo.
I don't think that there is a way to do that on the client side.
But the streaming replication primary is surely under your control, so it
should
be sufficient to set "ssl_siphers" there.Yours,
Laurenz Albe
On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.Greetings,
Yunfei Zhou
What is your attack/exposure scenario?
Hi ,
Found an article which might be of help, configuring through HAProxy as a TLS proxy to control cipher suites.
https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default
[https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-icon@2.png?v=73d79a89bded]<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default>
Can I do this "ssl-default-bind-ciphers no RC4-MD5" - Stack Overflow<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default>
How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ...
stackoverflow.com
Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
Thanks & Regards
Dinesh Nair
________________________________
From: Rob Sargent <robjsargent@gmail.com>
Sent: Tuesday, August 26, 2025 7:25 PM
To: Z xx <xxz030811@gmail.com>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
[You don't often get email from robjsargent@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.
On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.Greetings,
Yunfei Zhou
What is your attack/exposure scenario?
On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.
I'd say because nobody implemented it, perhaps because nobody felt the need.
This is still considered a security issue in some cases, and PostgreSQL has
mature capabilities on the master side to implement this functionality.
That sounds to me like some moderately clueful security auditor is looking
for a nit to pick. If you do streaming replication, and you control the
ciphers on the primary server, what added security benefit do you get by
controlling the ciphers on the standby server (the client) as well?
Yours,
Laurenz Albe
On 26 Aug 2025, at 22:16, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
Thanks for your suggestion.
But I still want to know why we can't set "ssl_ciphers" on the client side.I'd say because nobody implemented it, perhaps because nobody felt the need.
I think the former is a highly likely suspect here.
This is still considered a security issue in some cases, and PostgreSQL has
mature capabilities on the master side to implement this functionality.That sounds to me like some moderately clueful security auditor is looking
for a nit to pick. If you do streaming replication, and you control the
ciphers on the primary server, what added security benefit do you get by
controlling the ciphers on the standby server (the client) as well?
I would place this above nitpicking, but I also don't have a clear idea of an
attack (if I did I'd fix it..). TLS is riddled with weird cases involving
network middleboxes (usually very enterprisy) so insisting on control isn't
necessarily a bad thing.
--
Daniel Gustafsson