Re: How to configure client-side TLS ciphers for streaming replication?

"DINESH NAIR" <Dinesh_Nair@xxxxxxxxxxxxxxxxx> · Tue, 26 Aug 2025 18:10:06 +0000

Hi ,

Found an article which might be of help, configuring through  HAProxy as a TLS proxy to control cipher suites.

https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default

Can I do this "ssl-default-bind-ciphers
 no RC4-MD5" - Stack Overflow

How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't
 want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ...

stackoverflow.com

Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Thanks & Regards

Dinesh Nair

From: Rob Sargent <robjsargent@xxxxxxxxx>

Sent: Tuesday, August 26, 2025 7:25 PM

To: Z xx <xxz030811@xxxxxxxxx>

Cc: Laurenz Albe <laurenz.albe@xxxxxxxxxxx>; pgsql-general@xxxxxxxxxxxxxxxxxxxx <pgsql-general@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: How to configure client-side TLS ciphers for streaming replication?

[You don't often get email from robjsargent@xxxxxxxxx. Learn why this is important at
https://aka.ms/LearnAboutSenderIdentification ]

Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments.

> On Aug 26, 2025, at 5:35 AM, xx Z <xxz030811@xxxxxxxxx> wrote:

>

> 

> Thanks for your suggestion.

> But I still want to know why we can't set "ssl_ciphers" on the client side.

> This is still considered a security issue in some cases, and PostgreSQL has mature capabilities on the master side to implement this functionality.

>

> Greetings,

> Yunfei Zhou

>

What is your attack/exposure scenario?