Hi,
On 2025-08-26 10:09:56 -0400, Tom Lane wrote:
> xx Z <xxz030811@gmail.com> writes:
> > For security compliance, we need to restrict the ciphers used by the
> > client. Is there a way to configure the list of supported TLS ciphers on
> > the standby for the replication connection?
>
> No. It's not really apparent to me why the client would have stronger
> needs for this than the server does, so I don't see why the existing
> server-side options aren't sufficient.
If the used cipher is too weak, it makes it easier for a malicious server to
inject itself, pretending to be the real server. The settings on the real
server don't take effect in that case.
Greetings,
Andres Freund