doc: Document that ssl_ciphers does not affect TLS 1.3

TLS 1.3 uses a different way of specifying ciphers and a different
OpenSSL API.  PostgreSQL currently does not support setting those
ciphers.  For now, just document this.  In the future, support for
this might be added somehow.

Reviewed-by: Jonathan S. Katz 
Reviewed-by: Tom Lane 

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index ca6a3a523ff689a8d89f4a0bd98983a418f123a1..6ce59078967ce2aaec510cf252a476453de486bf 100644 (file)
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1216,16 +1216,22 @@ include_dir 'conf.d'
       
       
        
-        Specifies a list of SSL cipher suites that are allowed to be
-        used on secure connections.  See
-        the ciphers manual page
-        in the OpenSSL package for the syntax of this setting
-        and a list of supported values.
-        This parameter can only be set in the postgresql.conf
-        file or on the server command line.
-        The default value is HIGH:MEDIUM:+3DES:!aNULL.  The
-        default is usually a reasonable choice unless you have specific
-        security requirements.
+        Specifies a list of SSL cipher suites that are
+        allowed to be used by SSL connections.  See the
+        ciphers
+        manual page in the OpenSSL package for the
+        syntax of this setting and a list of supported values.  Only
+        connections using TLS version 1.2 and lower are affected.  There is
+        currently no setting that controls the cipher choices used by TLS
+        version 1.3 connections.  The default value is
+        HIGH:MEDIUM:+3DES:!aNULL.  The default is usually a
+        reasonable choice unless you have specific security requirements.
+       
+
+       
+        This parameter can only be set in the
+        postgresql.conf file or on the server command
+        line.