-
+
Client Authentication
local database authentication-method [ authentication-option ]
host database IP-address IP-mask authentication-method [ authentication-option ]
+hostssl database IP-address IP-mask authentication-method [ authentication-option ]
The meaning of the fields is as follows:
+
+ hostssl
+
+ This record pertains to connection attemps with SSL over
+ TCP/IP. Note that SSL connections are completely disabled
+ unless the server is started with the -i ,
+ and also require ordinary TCP/IP connections to be enabled.
+ SSL connections also require SSL support to be enabled in
+ the backend at compile time.
+
+
+
+
database
-
+
<![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions
+
+ --with-openssl=DIRECTORY
+
+ Build with support for SSL (encrypted) connections.
+ This requires the OpenSSL library to be installed.
+ The DIRECTORY argument specifies the
+ root directory of the OpenSSL installation.
+
+
+ configure will check for the required header
+ files and libraries to make sure that your OpenSSL
+ installation is sufficient before proceeding.
+
+
+
+
--enable-syslog
+
+
+ requiressl
+
+ Set to '1' to require SSL connection to the backend. Libpq
+ will then refuse to connect if the server does not support
+ SSL. Set to '0' (default) to negotiate with server.
+
+
+
If any parameter is unspecified, then the corresponding
server host, not the local host!
+
+
+ PQgetssl
+ Returns the SSL structure used in the connection, or NULL
+ if SSL is not in use.
+
+SSL *PQgetssl(const PGconn *conn);
+
+ This structure can be used to verify encryption levels, check
+ server certificate and more. Refer to the OpenSSL documentation
+ for information about this structure.
+
+ You must define USE_SSL in order to get the
+ prototype for this function. Doing this will also
+ automatically include ssl.h from OpenSSL.
+
+
+
+
Secure TCP/IP Connection with SSL
+
+ PostgreSQL has native support for connections over SSL to encrypt
+ client/server communications for increased security. This requires
+
OpenSSL to be installed on both client
+ and server systems and support enabled at compile-time using
+ the configure script.
+
+
+ With SSL support compiled in, the Postgres backend can be
+ started with argument -l to enable SSL connections.
+ When starting in SSL mode, the postmaster will look for the
+ files server.key and
+ server.cert in the PGDATA
+ directory. These files should contain the server private key and
+ certificate respectively. If the private key is protected with a
+ passphrase, the postmaster will prompt for the passphrase and not
+ start until it has been provided.
+
+
+ The postmaster will listen for both standard and SSL connections
+ on the same TCP/IP port, and will negotiate with any connecting
+ client wether to use SSL or not. Use the pg_hba.conf
+ file to optionally require SSL in order to accept a connection.
+
+
+ For details on how to create your server private key and certificate,
+ refer to the OpenSSL documentation. A simple self-signed certificate
+ can be used to get started testing, but a certificate signed by a CA
+ (either one of the global CAs or a local one) should be used in
+ production so the client can verify the servers identity. To create
+ a quick self-signed certificate, use the CA.pl
+ script included in OpenSSL:
+ CA.pl -newcert
+
+ Fill out the information the script asks for. Make sure to enter
+ the local hostname as Common Name. The script will generate a key
+ which is passphrase protected. To remove the passphrase (required
+ if you want automatic startup of the postmaster), run the command
+ openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
+
+ Enter the old passphrase to unlock the existing key. Copy the file
+ newreq.pem to PGDATA/server.cert
+ and newkey_no_passphrase.pem to
+ PGDATA/server.key . Remove the PRIVATE KEY part
+ from the server.cert using any text editor.
+
+
+
Secure TCP/IP Connection with SSH
projects / postgresql.git / commitdiff