diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2020-07-23 17:13:00 +0200 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2020-07-23 20:37:56 +0200 |
| commit | 5733fa0fe4a73efa46801aa4189f7da17dd2b4bf (patch) | |
| tree | 395835963e41fe350dddfa87e7657ba6ff491414 | |
| parent | 42dee8b8e362bae05de2234a4fc7a3aa9dacdf6f (diff) | |
| download | postgresql-5733fa0fe4a73efa46801aa4189f7da17dd2b4bf.tar.gz postgresql-5733fa0fe4a73efa46801aa4189f7da17dd2b4bf.zip | |
doc: Document that ssl_ciphers does not affect TLS 1.3
TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API. PostgreSQL currently does not support setting those
ciphers. For now, just document this. In the future, support for
this might be added somehow.
Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
| -rw-r--r-- | doc/src/sgml/config.sgml | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index ca6a3a523ff..6ce59078967 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1216,16 +1216,22 @@ include_dir 'conf.d' </term> <listitem> <para> - Specifies a list of <acronym>SSL</acronym> cipher suites that are allowed to be - used on secure connections. See - the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page - in the <application>OpenSSL</application> package for the syntax of this setting - and a list of supported values. - This parameter can only be set in the <filename>postgresql.conf</filename> - file or on the server command line. - The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The - default is usually a reasonable choice unless you have specific - security requirements. + Specifies a list of <acronym>SSL</acronym> cipher suites that are + allowed to be used by SSL connections. See the + <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> + manual page in the <application>OpenSSL</application> package for the + syntax of this setting and a list of supported values. Only + connections using TLS version 1.2 and lower are affected. There is + currently no setting that controls the cipher choices used by TLS + version 1.3 connections. The default value is + <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a + reasonable choice unless you have specific security requirements. + </para> + + <para> + This parameter can only be set in the + <filename>postgresql.conf</filename> file or on the server command + line. </para> <para> |