1 <!-- doc/src/sgml/sslinfo.sgml -->
6 <indexterm zone="sslinfo">
7 <primary>sslinfo</primary>
11 The <filename>sslinfo</> module provides information about the SSL
12 certificate that the current client provided when connecting to
13 <productname>PostgreSQL</>. The module is useless (most functions
14 will return NULL) if the current connection does not use SSL.
18 This extension won't build at all unless the installation was
19 configured with <literal>--with-openssl</>.
23 <title>Functions Provided</title>
28 ssl_is_used() returns boolean
32 Returns TRUE if current connection to server uses SSL, and FALSE
40 ssl_version() returns text
44 Returns the name of the protocol used for the SSL connection (e.g. SSLv2,
52 ssl_cipher() returns text
56 Returns the name of the cipher used for the SSL connection
57 (e.g. DHE-RSA-AES256-SHA).
64 ssl_client_cert_present() returns boolean
68 Returns TRUE if current client has presented a valid SSL client
69 certificate to the server, and FALSE otherwise. (The server
70 might or might not be configured to require a client certificate.)
77 ssl_client_serial() returns numeric
81 Returns serial number of current client certificate. The combination of
82 certificate serial number and certificate issuer is guaranteed to
83 uniquely identify a certificate (but not its owner — the owner
84 ought to regularly change his keys, and get new certificates from the
89 So, if you run your own CA and allow only certificates from this CA to
90 be accepted by the server, the serial number is the most reliable (albeit
91 not very mnemonic) means to identify a user.
98 ssl_client_dn() returns text
102 Returns the full subject of the current client certificate, converting
103 character data into the current database encoding. It is assumed that
104 if you use non-ASCII characters in the certificate names, your
105 database is able to represent these characters, too. If your database
106 uses the SQL_ASCII encoding, non-ASCII characters in the name will be
107 represented as UTF-8 sequences.
111 The result looks like <literal>/CN=Somebody /C=Some country/O=Some organization</>.
118 ssl_issuer_dn() returns text
122 Returns the full issuer name of the current client certificate, converting
123 character data into the current database encoding. Encoding conversions
124 are handled the same as for <function>ssl_client_dn</>.
127 The combination of the return value of this function with the
128 certificate serial number uniquely identifies the certificate.
131 This function is really useful only if you have more than one trusted CA
132 certificate in your server's <filename>root.crt</> file, or if this CA
133 has issued some intermediate certificate authority certificates.
140 ssl_client_dn_field(fieldname text) returns text
144 This function returns the value of the specified field in the
145 certificate subject, or NULL if the field is not present.
146 Field names are string constants that are
147 converted into ASN1 object identifiers using the OpenSSL object
148 database. The following values are acceptable:
150 <literallayout class="monospaced">
151 commonName (alias CN)
155 countryName (alias C)
156 localityName (alias L)
157 stateOrProvinceName (alias ST)
158 organizationName (alias O)
159 organizationUnitName (alias OU)
174 All of these fields are optional, except <structfield>commonName</>.
176 entirely on your CA's policy which of them would be included and which
177 wouldn't. The meaning of these fields, however, is strictly defined by
178 the X.500 and X.509 standards, so you cannot just assign arbitrary
186 ssl_issuer_field(fieldname text) returns text
190 Same as <function>ssl_client_dn_field</>, but for the certificate issuer
191 rather than the certificate subject.
199 <title>Author</title>
202 Victor Wagner <email>vitus@cryptocom.ru</email>, Cryptocom LTD
206 E-Mail of Cryptocom OpenSSL development group:
207 <email>openssl@cryptocom.ru</email>