PostgreSQL version:

ssl_ciphers

Specifies a list of SSL cipher suites that are allowed to be used on secure connections. See the ciphers manual page in the OpenSSL package for the syntax of this setting and a list of supported values. This parameter can only be set in the postgresql.conf file or on the server command line. The default value is HIGH:MEDIUM:+3DES:!aNULL. The default is usually a reasonable choice unless you have specific security requirements.

Explanation of the default value: HIGH

  • Cipher suites that use ciphers from HIGH group (e.g., AES, Camellia, 3DES)

  • MEDIUM
  • Cipher suites that use ciphers from MEDIUM group (e.g., RC4, SEED)

  • +3DES
  • The OpenSSL default order for HIGH is problematic because it orders 3DES higher than AES128. This is wrong because 3DES offers less security than AES128, and it is also much slower. +3DES reorders it after all other HIGH and MEDIUM ciphers.

  • !aNULL
  • Disables anonymous cipher suites that do no authentication. Such cipher suites are vulnerable to man-in-the-middle attacks and therefore should not be used.

  • Available cipher suite details will vary across OpenSSL versions. Use the command openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL' to see actual details for the currently installed OpenSSL version. Note that this list is filtered at run time based on the server key type.

    Recommendations

    Allows DBAs to require “strong enough” or preset ciphers for SSL connections. If you have not compiled SSL support, this parameter will not be available.

    Comments

    At postgresqlCO.NF (OnGres) we value your privacy and treat all data very seriously. We're fully GDPR compliant, and we continuously monitor and improve our data storage, retention and compliance mechanisms.

    This web page does not, however, store any PII (Personally Identifiable Information). The only service that stores any data is Google Analytics, and we use it to gather analytics of the web page.

    This website contains some data from the official documentation of the PostgreSQL.org project, and from Annotated.Conf, used with permission.

    If you have any question or concern about our terms of service or privacy policy, please contact us at dataprotection _at_ ongres _dot_ com.

    OK