diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2020-07-23 17:13:00 +0200 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2020-07-23 20:38:31 +0200 |
| commit | 63b2297a33ebca87942e55643339c08fbdd25526 (patch) | |
| tree | 54c15f2e9008c07aa04fe8cdae3d4a2e2ae0bb34 | |
| parent | 8bf4e69a7f7b076fae3b8e2361977f590d095b5a (diff) | |
| download | postgresql-63b2297a33ebca87942e55643339c08fbdd25526.tar.gz postgresql-63b2297a33ebca87942e55643339c08fbdd25526.zip | |
doc: Document that ssl_ciphers does not affect TLS 1.3
TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API. PostgreSQL currently does not support setting those
ciphers. For now, just document this. In the future, support for
this might be added somehow.
Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
| -rw-r--r-- | doc/src/sgml/config.sgml | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 6a5c56fb7b5..89f1ce33058 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1221,16 +1221,22 @@ include_dir 'conf.d' </term> <listitem> <para> - Specifies a list of <acronym>SSL</acronym> cipher suites that are allowed to be - used on secure connections. See - the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page - in the <application>OpenSSL</application> package for the syntax of this setting - and a list of supported values. - This parameter can only be set in the <filename>postgresql.conf</filename> - file or on the server command line. - The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The - default is usually a reasonable choice unless you have specific - security requirements. + Specifies a list of <acronym>SSL</acronym> cipher suites that are + allowed to be used by SSL connections. See the + <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> + manual page in the <application>OpenSSL</application> package for the + syntax of this setting and a list of supported values. Only + connections using TLS version 1.2 and lower are affected. There is + currently no setting that controls the cipher choices used by TLS + version 1.3 connections. The default value is + <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a + reasonable choice unless you have specific security requirements. + </para> + + <para> + This parameter can only be set in the + <filename>postgresql.conf</filename> file or on the server command + line. </para> <para> |