-list_curves</command>.  Not all of them are
        usable with <acronym>TLS</acronym> though, and many supported group
        names and aliases are omitted.
       </para>

       <para>
        In <productname>PostgreSQL</productname> versions before 18.0 this
        setting was named <literal>ssl_ecdh_curve</literal> and only accepted
        a single value.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-min-protocol-version" xreflabel="ssl_min_protocol_version">
      <term><varname>ssl_min_protocol_version</varname> (<type>enum</type>)
      <indexterm>
       <primary><varname>ssl_min_protocol_version</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Sets the minimum SSL/TLS protocol version to use.  Valid values are
        currently: <literal>TLSv1</literal>, <literal>TLSv1.1</literal>,
        <literal>TLSv1.2</literal>, <literal>TLSv1.3</literal>.  Older
        versions of the <productname>OpenSSL</productname> library do not
        support all values; an error will be raised if an unsupported setting
        is chosen.  Protocol versions before TLS 1.0, namely SSL version 2 and
        3, are always disabled.
       </para>

       <para>
        The default is <literal>TLSv1.2</literal>, which satisfies industry
        best practices as of this writing.
       </para>

       <para>
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-max-protocol-version" xreflabel="ssl_max_protocol_version">
      <term><varname>ssl_max_protocol_version</varname> (<type>enum</type>)
      <indexterm>
       <primary><varname>ssl_max_protocol_version</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Sets the maximum SSL/TLS protocol version to use.  Valid values are as
        for <xref linkend="guc-ssl-min-protocol-version"/>, with addition of
        an empty string, which allows any protocol version.  The default is to
        allow any version.  Setting the maximum protocol version is mainly
        useful for testing or if some component has issues working with a
        newer protocol.
       </para>

       <para>
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file">
      <term><varname>ssl_dh_params_file</varname> (<type>string</type>)
      <indexterm>
       <primary><varname>ssl_dh_params_file</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Specifies the name of the file containing Diffie-Hellman parameters
        used for so-called ephemeral DH family of SSL ciphers. The default is
        empty, in which case compiled-in default DH parameters used. Using
        custom DH parameters reduces the exposure if an attacker manages to
        crack the well-known compiled-in DH parameters. You can create your own
        DH parameters file with the command
        <command>openssl dhparam -out dhparams.pem 2048</command>.
       </para>

       <para>
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-passphrase-command" xreflabel="ssl_passphrase_command">
      <term><varname>ssl_passphrase_command</varname> (<type>string</type>)
      <indexterm>
       <primary><varname>ssl_passphrase_command</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Sets an external command to be invoked when a passphrase