Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 5733fa0

Browse files
committed
doc: Document that ssl_ciphers does not affect TLS 1.3
TLS 1.3 uses a different way of specifying ciphers and a different OpenSSL API. PostgreSQL currently does not support setting those ciphers. For now, just document this. In the future, support for this might be added somehow. Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
1 parent 42dee8b commit 5733fa0

File tree

1 file changed

+16
-10
lines changed

1 file changed

+16
-10
lines changed

doc/src/sgml/config.sgml

+16-10
Original file line numberDiff line numberDiff line change
@@ -1216,16 +1216,22 @@ include_dir 'conf.d'
12161216
</term>
12171217
<listitem>
12181218
<para>
1219-
Specifies a list of <acronym>SSL</acronym> cipher suites that are allowed to be
1220-
used on secure connections. See
1221-
the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page
1222-
in the <application>OpenSSL</application> package for the syntax of this setting
1223-
and a list of supported values.
1224-
This parameter can only be set in the <filename>postgresql.conf</filename>
1225-
file or on the server command line.
1226-
The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The
1227-
default is usually a reasonable choice unless you have specific
1228-
security requirements.
1219+
Specifies a list of <acronym>SSL</acronym> cipher suites that are
1220+
allowed to be used by SSL connections. See the
1221+
<citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
1222+
manual page in the <application>OpenSSL</application> package for the
1223+
syntax of this setting and a list of supported values. Only
1224+
connections using TLS version 1.2 and lower are affected. There is
1225+
currently no setting that controls the cipher choices used by TLS
1226+
version 1.3 connections. The default value is
1227+
<literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a
1228+
reasonable choice unless you have specific security requirements.
1229+
</para>
1230+
1231+
<para>
1232+
This parameter can only be set in the
1233+
<filename>postgresql.conf</filename> file or on the server command
1234+
line.
12291235
</para>
12301236

12311237
<para>

0 commit comments

Comments
 (0)