Hi , Found an article which might be of help, configuring through HAProxy as a TLS proxy to control cipher suites.
https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default [https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-i...@2.png?v=73d79a89bded]<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default> Can I do this "ssl-default-bind-ciphers no RC4-MD5" - Stack Overflow<https://stackoverflow.com/questions/53198588/how-to-disable-specific-cipher-suites-from-haproxy-can-i-do-this-ssl-default> How to disable specific cipher suites from Haproxy? All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5" Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the ... stackoverflow.com Ciphers: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html Thanks & Regards Dinesh Nair ________________________________ From: Rob Sargent <robjsarg...@gmail.com> Sent: Tuesday, August 26, 2025 7:25 PM To: Z xx <xxz030...@gmail.com> Cc: Laurenz Albe <laurenz.a...@cybertec.at>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org> Subject: Re: How to configure client-side TLS ciphers for streaming replication? [You don't often get email from robjsarg...@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Caution: This email was sent from an external source. Please verify the sender’s identity before clicking links or opening attachments. > On Aug 26, 2025, at 5:35 AM, xx Z <xxz030...@gmail.com> wrote: > > > Thanks for your suggestion. > But I still want to know why we can't set "ssl_ciphers" on the client side. > This is still considered a security issue in some cases, and PostgreSQL has > mature capabilities on the master side to implement this functionality. > > Greetings, > Yunfei Zhou > What is your attack/exposure scenario?
