Enables
SSL connections. Please read- before using this. The default
+ -tcp"> before using this. The default
is off.
-
+ -tcp">
Secure TCP/IP Connections with SSL
can be started with the argument
SSL connections. When starting in SSL mode, the postmaster will look
for the files server.key and server.crt in
- the data directory. These files should contain the server private key
+ the data directory (pointed to by PGDATA).
+ These files should contain the server private key
and certificate respectively. These files must be set up correctly
before an SSL-enabled server can start. If the private key is protected
with a passphrase, the postmaster will prompt for the passphrase and will
The postmaster will listen for both standard and SSL connections
on the same TCP/IP port, and will negotiate with any connecting
- client wether to use SSL or not. See
+ client whether or not to use SSL.
+ See
about how to force on the server side the use of SSL for certain
connections.
-
-
Secure TCP/IP Connection with SSL
-
- PostgreSQL has native support for connections over SSL to encrypt
- client/server communications for increased security. This requires
-
OpenSSL to be installed on both client
- and server systems and support enabled at compile-time using
- the configure script.
-
-
- With SSL support compiled in, the Postgres backend can be
- started with argument -l to enable SSL connections.
- When starting in SSL mode, the postmaster will look for the
- files server.key and
- server.cert in the PGDATA
- directory. These files should contain the server private key and
- certificate respectively. If the private key is protected with a
- passphrase, the postmaster will prompt for the passphrase and not
- start until it has been provided.
-
-
- The postmaster will listen for both standard and SSL connections
- on the same TCP/IP port, and will negotiate with any connecting
- client wether to use SSL or not. Use the pg_hba.conf
- file to optionally require SSL in order to accept a connection.
-
-
- For details on how to create your server private key and certificate,
- refer to the OpenSSL documentation. A simple self-signed certificate
- can be used to get started testing, but a certificate signed by a CA
- (either one of the global CAs or a local one) should be used in
- production so the client can verify the servers identity. To create
- a quick self-signed certificate, use the CA.pl
- script included in OpenSSL:
- CA.pl -newcert
-
- Fill out the information the script asks for. Make sure to enter
- the local hostname as Common Name. The script will generate a key
- which is passphrase protected. To remove the passphrase (required
- if you want automatic startup of the postmaster), run the command
- openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
-
- Enter the old passphrase to unlock the existing key. Copy the file
- newreq.pem to PGDATA/server.cert
- and newkey_no_passphrase.pem to
- PGDATA/server.key. Remove the PRIVATE KEY part
- from the server.cert using any text editor.
-
-
-
-
+
Secure TCP/IP Connections with SSH tunnels
projects / postgresql.git / commitdiff