Skip to content

Commit eb8e2cc

Browse files
peterepetere
committed
doc: Document that ssl_ciphers does not affect TLS 1.3
TLS 1.3 uses a different way of specifying ciphers and a different OpenSSL API. PostgreSQL currently does not support setting those ciphers. For now, just document this. In the future, support for this might be added somehow. Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
1 parent fac4145 commit eb8e2cc

File tree

1 file changed

+16
-10
lines changed

1 file changed

+16
-10
lines changed

doc/src/sgml/config.sgml

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1067,16 +1067,22 @@ include_dir 'conf.d'
10671067
</term>
10681068
<listitem>
10691069
<para>
1070-
Specifies a list of <acronym>SSL</> cipher suites that are allowed to be
1071-
used on secure connections. See
1072-
the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page
1073-
in the <application>OpenSSL</> package for the syntax of this setting
1074-
and a list of supported values.
1075-
This parameter can only be set in the <filename>postgresql.conf</>
1076-
file or on the server command line.
1077-
The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</>. The
1078-
default is usually a reasonable choice unless you have specific
1079-
security requirements.
1070+
Specifies a list of <acronym>SSL</> cipher suites that are
1071+
allowed to be used by SSL connections. See the
1072+
<citerefentry><refentrytitle>ciphers</></citerefentry>
1073+
manual page in the <application>OpenSSL</> package for the
1074+
syntax of this setting and a list of supported values. Only
1075+
connections using TLS version 1.2 and lower are affected. There is
1076+
currently no setting that controls the cipher choices used by TLS
1077+
version 1.3 connections. The default value is
1078+
<literal>HIGH:MEDIUM:+3DES:!aNULL</>. The default is usually a
1079+
reasonable choice unless you have specific security requirements.
1080+
</para>
1081+
1082+
<para>
1083+
This parameter can only be set in the
1084+
<filename>postgresql.conf</> file or on the server command
1085+
line.
10801086
</para>
10811087

10821088
<para>

0 commit comments

Comments
 (0)