On Tue, 2025-08-26 at 20:34 +0800, xx Z wrote:
> Thanks for your suggestion.
> But I still want to know why we can't set "ssl_ciphers" on the client side.
I'd say because nobody implemented it, perhaps because nobody felt the need.
> This is still considered a security issue in some cases, and PostgreSQL has
> mature capabilities on the master side to implement this functionality.
That sounds to me like some moderately clueful security auditor is looking
for a nit to pick. If you do streaming replication, and you control the
ciphers on the primary server, what added security benefit do you get by
controlling the ciphers on the standby server (the client) as well?
Yours,
Laurenz Albe