doc: Document that ssl_ciphers does not affect TLS 1.3

TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API.  PostgreSQL currently does not support setting those
ciphers.  For now, just document this.  In the future, support for
this might be added somehow.

Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
This commit is contained in:
Peter Eisentraut 2020-07-23 17:13:00 +02:00
parent 42dee8b8e3
commit 5733fa0fe4
1 changed files with 16 additions and 10 deletions

View File

@ -1216,16 +1216,22 @@ include_dir 'conf.d'
</term>
<listitem>
<para>
Specifies a list of <acronym>SSL</acronym> cipher suites that are allowed to be
used on secure connections. See
the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry> manual page
in the <application>OpenSSL</application> package for the syntax of this setting
and a list of supported values.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The
default is usually a reasonable choice unless you have specific
security requirements.
Specifies a list of <acronym>SSL</acronym> cipher suites that are
allowed to be used by SSL connections. See the
<citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
manual page in the <application>OpenSSL</application> package for the
syntax of this setting and a list of supported values. Only
connections using TLS version 1.2 and lower are affected. There is
currently no setting that controls the cipher choices used by TLS
version 1.3 connections. The default value is
<literal>HIGH:MEDIUM:+3DES:!aNULL</literal>. The default is usually a
reasonable choice unless you have specific security requirements.
</para>
<para>
This parameter can only be set in the
<filename>postgresql.conf</filename> file or on the server command
line.
</para>
<para>