From: Peter Eisentraut <peter@eisentraut.org>
Date: Thu, 23 Jul 2020 15:13:00 +0000 (+0200)
Subject: doc: Document that ssl_ciphers does not affect TLS 1.3
X-Git-Tag: REL9_5_23~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77033aa97af75802dcf4985b86c4555c9722c348;p=thirdparty%2Fpostgresql.git

doc: Document that ssl_ciphers does not affect TLS 1.3

TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API.  PostgreSQL currently does not support setting those
ciphers.  For now, just document this.  In the future, support for
this might be added somehow.

Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
---

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 239dbf97ba6..74bb25ae16e 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1056,11 +1056,14 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies a list of <acronym>SSL</> cipher suites that are allowed to be
-        used on secure connections.  See
-        the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page
-        in the <application>OpenSSL</> package for the syntax of this setting
-        and a list of supported values.  The default value is
+        Specifies a list of <acronym>SSL</> cipher suites that are
+        allowed to be used by SSL connections.  See the
+        <citerefentry><refentrytitle>ciphers</></citerefentry>
+        manual page in the <application>OpenSSL</> package for the
+        syntax of this setting and a list of supported values.  Only
+        connections using TLS version 1.2 and lower are affected.  There is
+        currently no setting that controls the cipher choices used by TLS
+        version 1.3 connections.  The default value is
         <literal>HIGH:MEDIUM:+3DES:!aNULL</>.  It is usually reasonable,
         unless you have specific security requirements.  This parameter can only
         be set at server start.