From: Peter Eisentraut Date: Thu, 23 Jul 2020 15:13:00 +0000 (+0200) Subject: doc: Document that ssl_ciphers does not affect TLS 1.3 X-Git-Tag: REL_14_BETA1~1931 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5733fa0fe4a73efa46801aa4189f7da17dd2b4bf;p=thirdparty%2Fpostgresql.git doc: Document that ssl_ciphers does not affect TLS 1.3 TLS 1.3 uses a different way of specifying ciphers and a different OpenSSL API. PostgreSQL currently does not support setting those ciphers. For now, just document this. In the future, support for this might be added somehow. Reviewed-by: Jonathan S. Katz Reviewed-by: Tom Lane --- diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index ca6a3a523ff..6ce59078967 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1216,16 +1216,22 @@ include_dir 'conf.d' - Specifies a list of SSL cipher suites that are allowed to be - used on secure connections. See - the ciphers manual page - in the OpenSSL package for the syntax of this setting - and a list of supported values. - This parameter can only be set in the postgresql.conf - file or on the server command line. - The default value is HIGH:MEDIUM:+3DES:!aNULL. The - default is usually a reasonable choice unless you have specific - security requirements. + Specifies a list of SSL cipher suites that are + allowed to be used by SSL connections. See the + ciphers + manual page in the OpenSSL package for the + syntax of this setting and a list of supported values. Only + connections using TLS version 1.2 and lower are affected. There is + currently no setting that controls the cipher choices used by TLS + version 1.3 connections. The default value is + HIGH:MEDIUM:+3DES:!aNULL. The default is usually a + reasonable choice unless you have specific security requirements. + + + + This parameter can only be set in the + postgresql.conf file or on the server command + line.