-
+
<application>libpq</application> - C Library
PGSSLKEY
-specifies the hardware token which stores the secret key for the client
-certificate, instead of a file. The value of this variable should consist
+specifies the hardware token that stores the secret key for the client
+certificate. The value of this variable should consist
of a colon-separated engine name (engines are
OpenSSL-loadable modules) and an engine-specific key identifier.
+loadable modules) and an engine-specific key identifier. If this is not
+set, the secret key must be kept in a file.
for increased security. See for details
about the server-side
SSL functionality.
+
-
libpq reads the system-wide
-
OpenSSL configuration file. By default, this
- file is named openssl.cnf and is located in the
- directory reported by
openssl:- openssl version -d
-
- The default can be overriden by setting environment variable
- OPENSSL_CONF to the name of the desired configuration
- file.
+
libpq reads the system-wide
+
OpenSSL configuration file. By default, this
+ file is named openssl.cnf and is located in the
+ directory reported by openssl version -d.
+ This default can be overridden by setting environment variable
+ OPENSSL_CONF to the name of the desired configuration
+ file.
+
If the server demands a client certificate,
will send the certificate stored in file
~/.postgresql/postgresql.crt within the user's home directory.
A matching private key file ~/.postgresql/postgresql.key
- must also be present, and must not be world-readable, unless the secret
- key is stored in a hardware token, as specified by
- PGSSLKEY.
+ must also be present, unless the secret key for the certificate is stored
+ in a hardware token, as specified by PGSSLKEY.
(On Microsoft Windows these files are named
%APPDATA%\postgresql\postgresql.crt and
%APPDATA%\postgresql\postgresql.key.)
+ The private key file must not be world-readable.
should consist of a colon-separated engine name and key identifier. In
this case,
libpq will load the specified
engine, i.e. the
OpenSSL module which supports special- hardware and reference the key with the specified identifier.
+ hardware, and reference the key with the specified identifier.
Identifiers are engine-specific. Typically, cryptography hardware tokens
do not reveal secret keys to the application. Instead, applications
delegate all cryptography operations which require the secret key to
-
+
Operating System Environment
OpenSSL supports a wide range of ciphers
and authentication algorithms, whose strength varies significantly.
- You can restrict the list of ciphers which can be used to connect to
- your server using the parameter.
+ You can restrict the list of ciphers that can be used to connect to
+ your server by adjusting the parameter.
-
PostgreSQL reads
a system-wide
-
OpenSSL configuration file. By default this
+
PostgreSQL reads
the system-wide
+
OpenSSL configuration file. By default
, this
file is named openssl.cnf and is located in the
- directory reported by
openssl:- openssl version -d
-
- This default can be overriden by setting environment variable
- OPENSSL_CONF to the name of desired configuration file.
+ directory reported by openssl version -d.
+ This default can be overridden by setting environment variable
+ OPENSSL_CONF to the name of the desired configuration file.
projects / postgresql.git / commitdiff