rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: Document that ssl_ciphers does not affect TLS 1.3 

TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API.  PostgreSQL currently does not support setting those
ciphers.  For now, just document this.  In the future, support for
this might be added somehow.

Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
This commit is contained in:
Peter Eisentraut 2020-07-23 17:13:00 +02:00
parent 6b366190d5
commit dbd03482c6
1 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
doc/src/sgml/config.sgml
View File

@ -1216,16 +1216,22 @@ include_dir 'conf.d'
</term> </term>
<listitem> <listitem>
<para> <para>
Specifies a list of <acronym>SSL</acronym> cipher suites that are allowed to be Specifies a list of <acronym>SSL</acronym> cipher suites that are
used on secure connections. See allowed to be used by SSL connections. See the
the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
in the <application>OpenSSL</application> package for the syntax of this setting manual page in the <application>OpenSSL</application> package for the
and a list of supported values. syntax of this setting and a list of supported values. Only
This parameter can only be set in the <filename>postgresql.conf</filename> connections using TLS version 1.2 and lower are affected. There is
file or on the server command line. currently no setting that controls the cipher choices used by TLS
The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The version 1.3 connections. The default value is
default is usually a reasonable choice unless you have specific <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a
security requirements. reasonable choice unless you have specific security requirements.
</para>
<para>
This parameter can only be set in the
<filename>postgresql.conf</filename> file or on the server command
line.
</para> </para>
<para> <para>