Participants
xx Z
xx Z
Tom Lane
Tom Lane
Andres Freund
Andres Freund
Jacob Champion
Jacob Champion
Attachments

No attachments in this thread

Thread Outline
#1...#2
xx ZTom Lane
Aug 26, 2025
#1xx Zxx Z
Aug 26, 2025
#2Tom LaneTom Laneto xx Z (#1)
Aug 26, 2025
#3Andres FreundAndres Freundto Tom Lane (#2)
Aug 26, 2025
#4Jacob ChampionJacob Championto Tom Lane (#2)
Aug 26, 2025

Feature request: A method to configure client-side TLS ciphers for streaming replication

Started by xx Z5 months ago4 messages
#1xx Z
xx Z
xxz030811@gmail.com

Hello PostgreSQL community,

I have a question regarding the configuration of streaming replication.

When setting up streaming replication over TLS, I've noticed that while the
primary server can restrict its supported encryption algorithms using the
ssl_ciphers parameter, there doesn't seem to be a corresponding method for
the standby (client) side of the replication connection. The standby
appears to use all the default ciphers supported by the system's OpenSSL
library.

For security compliance, we need to restrict the ciphers used by the
client. Is there a way to configure the list of supported TLS ciphers on
the standby for the replication connection?

If this functionality does not currently exist, I would like to request it
as a new feature. It would be very helpful to have a connection parameter
in primary_conninfo to specify the client-side cipher list.

Postgresql version: 15.2

Thank you for your time and consideration.

Best regards,

Yunfei Zhou

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: xx Z (#1)
Re: Feature request: A method to configure client-side TLS ciphers for streaming replication

xx Z <xxz030811@gmail.com> writes:

For security compliance, we need to restrict the ciphers used by the
client. Is there a way to configure the list of supported TLS ciphers on
the standby for the replication connection?

No. It's not really apparent to me why the client would have stronger
needs for this than the server does, so I don't see why the existing
server-side options aren't sufficient.

(For that matter, if you have system-level security specifications
to meet, why would you not alter the system-wide OpenSSL configuration
on the client's host?)

regards, tom lane

#3Andres Freund
Andres Freund
andres@anarazel.de
In reply to: Tom Lane (#2)
Re: Feature request: A method to configure client-side TLS ciphers for streaming replication

Hi,

On 2025-08-26 10:09:56 -0400, Tom Lane wrote:

xx Z <xxz030811@gmail.com> writes:

For security compliance, we need to restrict the ciphers used by the
client. Is there a way to configure the list of supported TLS ciphers on
the standby for the replication connection?

No. It's not really apparent to me why the client would have stronger
needs for this than the server does, so I don't see why the existing
server-side options aren't sufficient.

If the used cipher is too weak, it makes it easier for a malicious server to
inject itself, pretending to be the real server. The settings on the real
server don't take effect in that case.

Greetings,

Andres Freund

#4Jacob Champion
Jacob Champion
jacob.champion@enterprisedb.com
In reply to: Tom Lane (#2)
Re: Feature request: A method to configure client-side TLS ciphers for streaming replication

On Tue, Aug 26, 2025 at 7:10 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:

(For that matter, if you have system-level security specifications
to meet, why would you not alter the system-wide OpenSSL configuration
on the client's host?)

There is that, or you can maybe use OPENSSL_CONF for more granularity.
(But I'm beginning to think we should support named configuration
sections [1]https://docs.openssl.org/1.1.1/man3/SSL_CTX_config/ of openssl.conf, in both the client and the server, to
make this a bit easier.)

--Jacob

[1]: https://docs.openssl.org/1.1.1/man3/SSL_CTX_config/

← Back to Topics