From dbd03482c626e7c5bb92dde983c4b9de6f623253 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 23 Jul 2020 17:13:00 +0200 Subject: [PATCH] doc: Document that ssl_ciphers does not affect TLS 1.3 TLS 1.3 uses a different way of specifying ciphers and a different OpenSSL API. PostgreSQL currently does not support setting those ciphers. For now, just document this. In the future, support for this might be added somehow. Reviewed-by: Jonathan S. Katz Reviewed-by: Tom Lane --- doc/src/sgml/config.sgml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index e0068d5ee1..6124142097 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1216,16 +1216,22 @@ include_dir 'conf.d' - Specifies a list of SSL cipher suites that are allowed to be - used on secure connections. See - the ciphers manual page - in the OpenSSL package for the syntax of this setting - and a list of supported values. - This parameter can only be set in the postgresql.conf - file or on the server command line. - The default value is HIGH:MEDIUM:+3DES:!aNULL. The - default is usually a reasonable choice unless you have specific - security requirements. + Specifies a list of SSL cipher suites that are + allowed to be used by SSL connections. See the + ciphers + manual page in the OpenSSL package for the + syntax of this setting and a list of supported values. Only + connections using TLS version 1.2 and lower are affected. There is + currently no setting that controls the cipher choices used by TLS + version 1.3 connections. The default value is + HIGH:MEDIUM:+3DES:!aNULL. The default is usually a + reasonable choice unless you have specific security requirements. + + + + This parameter can only be set in the + postgresql.conf file or on the server command + line.