Home Explore Blog CI



postgresql
22th chunk of `doc/src/sgml/config.sgml`
39a582499f7d00b72afa23becc97de0280a1aded4e3efc080000000100000fa2
 Disables anonymous cipher suites that do no authentication.  Such
            cipher suites are vulnerable to <acronym>MITM</acronym> attacks and
            therefore should not be used.
           </para>
          </listitem>
         </varlistentry>
        </variablelist>
       </para>

       <para>
        Available cipher suite details will vary across
        <productname>OpenSSL</productname> versions.  Use the command
        <literal>openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</literal> to
        see actual details for the currently installed
        <productname>OpenSSL</productname> version.  Note that this list is
        filtered at run time based on the server key type.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-prefer-server-ciphers" xreflabel="ssl_prefer_server_ciphers">
      <term><varname>ssl_prefer_server_ciphers</varname> (<type>boolean</type>)
      <indexterm>
       <primary><varname>ssl_prefer_server_ciphers</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Specifies whether to use the server's SSL cipher preferences, rather
        than the client's.
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
        The default is <literal>on</literal>.
       </para>

       <para>
        <productname>PostgreSQL</productname> versions before 9.4 do not have
        this setting and always use the client's preferences.  This setting is
        mainly for backward compatibility with those versions.  Using the
        server's preferences is usually better because it is more likely that
        the server is appropriately configured.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-groups" xreflabel="ssl_groups">
      <term><varname>ssl_groups</varname> (<type>string</type>)
      <indexterm>
       <primary><varname>ssl_groups</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Specifies the name of the curve to use in <acronym>ECDH</acronym> key
        exchange.  It needs to be supported by all clients that connect.
        Multiple curves can be specified by using a colon-separated list.
        It does not need to be the same curve used by the server's Elliptic
        Curve key.  This parameter can only be set in the
        <filename>postgresql.conf</filename> file or on the server command line.
        The default is <literal>X25519:prime256v1</literal>.
       </para>

       <para>
        <productname>OpenSSL</productname> names for the most common curves
        are:
        <literal>prime256v1</literal> (NIST P-256),
        <literal>secp384r1</literal> (NIST P-384),
        <literal>secp521r1</literal> (NIST P-521).
        An incomplete list of available groups can be shown with the command
        <command>openssl ecparam -list_curves</command>.  Not all of them are
        usable with <acronym>TLS</acronym> though, and many supported group
        names and aliases are omitted.
       </para>

       <para>
        In <productname>PostgreSQL</productname> versions before 18.0 this
        setting was named <literal>ssl_ecdh_curve</literal> and only accepted
        a single value.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-min-protocol-version" xreflabel="ssl_min_protocol_version">
      <term><varname>ssl_min_protocol_version</varname> (<type>enum</type>)
      <indexterm>
       <primary><varname>ssl_min_protocol_version</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Sets the minimum SSL/TLS protocol version to use.  Valid values are
        currently: <literal>TLSv1</literal>, <literal>TLSv1.1</literal>,
        <literal>TLSv1.2</literal>, <literal>TLSv1.3</literal>.  Older
        versions of
Title: SSL Configuration: Cipher Preferences, ECDH Groups, and Minimum Protocol Version
Summary
This section covers several SSL configuration parameters. It details how to determine available cipher suites based on the OpenSSL version and server key type. It introduces `ssl_prefer_server_ciphers`, which determines whether the server's cipher preferences are used instead of the client's, noting its backward compatibility role. Then it discusses `ssl_groups`, which specifies the curve for ECDH key exchange and lists common OpenSSL curve names, cautioning that not all listed curves are usable with TLS. The section ends by introducing the `ssl_min_protocol_version` parameter, used to set the minimum allowed SSL/TLS protocol version.