Re: How to configure client-side TLS ciphers for streaming replication? - Mailing list pgsql-general
Hi ,
Found an article which might be of help, configuring through HAProxy as a TLS proxy to control cipher suites.
 | How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ... stackoverflow.com |
Thanks & Regards
Dinesh Nair
From: Rob Sargent <robjsargent@gmail.com>
Sent: Tuesday, August 26, 2025 7:25 PM
To: Z xx <xxz030811@gmail.com>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
Sent: Tuesday, August 26, 2025 7:25 PM
To: Z xx <xxz030811@gmail.com>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: Re: How to configure client-side TLS ciphers for streaming replication?
[You don't often get email from robjsargent@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.
> On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
>
>
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
>
> Greetings,
> Yunfei Zhou
>
What is your attack/exposure scenario?
Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.
> On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@gmail.com> wrote:
>
>
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.
>
> Greetings,
> Yunfei Zhou
>
What is your attack/exposure scenario?
pgsql-general by date: