diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2020-07-23 17:13:00 +0200 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2020-07-23 20:38:45 +0200 |
| commit | 807dbce4b668c92c06b507e44da1c6a177bcbd20 (patch) | |
| tree | dbdbe0447b7c173f7408ef9e0cfc0162c665cc80 | |
| parent | 028f0c3a86d003ecaab05ff9df2386f806a3ddf3 (diff) | |
| download | postgresql-807dbce4b668c92c06b507e44da1c6a177bcbd20.tar.gz postgresql-807dbce4b668c92c06b507e44da1c6a177bcbd20.zip | |
doc: Document that ssl_ciphers does not affect TLS 1.3
TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API. PostgreSQL currently does not support setting those
ciphers. For now, just document this. In the future, support for
this might be added somehow.
Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
| -rw-r--r-- | doc/src/sgml/config.sgml | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 44e830aa083..f569aa20154 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1178,16 +1178,22 @@ include_dir 'conf.d' </term> <listitem> <para> - Specifies a list of <acronym>SSL</acronym> cipher suites that are allowed to be - used on secure connections. See - the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page - in the <application>OpenSSL</application> package for the syntax of this setting - and a list of supported values. - This parameter can only be set in the <filename>postgresql.conf</filename> - file or on the server command line. - The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The - default is usually a reasonable choice unless you have specific - security requirements. + Specifies a list of <acronym>SSL</acronym> cipher suites that are + allowed to be used by SSL connections. See the + <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> + manual page in the <application>OpenSSL</application> package for the + syntax of this setting and a list of supported values. Only + connections using TLS version 1.2 and lower are affected. There is + currently no setting that controls the cipher choices used by TLS + version 1.3 connections. The default value is + <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a + reasonable choice unless you have specific security requirements. + </para> + + <para> + This parameter can only be set in the + <filename>postgresql.conf</filename> file or on the server command + line. </para> <para> |