-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.111 2007/02/16 02:59:40 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.112 2007/02/16 16:37:29 tgl Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
</listitem>
</varlistentry>
- <varlistentry id="guc-ssl-ciphers" xreflabel="ssl-ciphers">
- <term><varname>ssl_ciphers> (<type>string</type>)</term>
+ <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
+ <term><varname>ssl_ciphers</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>ssl_ciphers</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
- Specifies a list of <acronym>SSL</> ciphers which can be used to
-
establish secure connections. See the <application>openssl</>
+ Specifies a list of <acronym>SSL</> ciphers that are allowed to be
+
used on secure connections. See the <application>openssl</>
manual page for a list of supported ciphers.
</para>
</listitem>
-<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.230 2007/02/16 03:50:29 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.231 2007/02/16 16:37:29 tgl Exp $ -->
<chapter id="libpq">
<title><application>libpq</application> - C Library</title>
<primary><envar>PGSSLKEY</envar></primary>
</indexterm>
<envar>PGSSLKEY</envar>
-specifies the hardware token which stores the secret key for the client
-certificate, instead of a file. The value of this variable should consist
+specifies the hardware token that stores the secret key for the client
+certificate. The value of this variable should consist
of a colon-separated engine name (engines are <productname>OpenSSL</>
-loadable modules) and an engine-specific key identifier.
+loadable modules) and an engine-specific key identifier. If this is not
+set, the secret key must be kept in a file.
</para>
</listitem>
<listitem>
for increased security. See <xref linkend="ssl-tcp"> for details
about the server-side <acronym>SSL</> functionality.
</para>
+
<para>
- <application>libpq</application> reads the system-wide
- <productname>OpenSSL</productname> configuration file. By default, this
- file is named <filename>openssl.cnf</filename> and is located in the
- directory reported by <application>openssl</>:
- <programlisting>
- openssl version -d
- </programlisting>
- The default can be overriden by setting environment variable
- <envar>OPENSSL_CONF</envar> to the name of the desired configuration
- file.
+ <application>libpq</application> reads the system-wide
+ <productname>OpenSSL</productname> configuration file. By default, this
+ file is named <filename>openssl.cnf</filename> and is located in the
+ directory reported by <literal>openssl version -d</>.
+ This default can be overridden by setting environment variable
+ <envar>OPENSSL_CONF</envar> to the name of the desired configuration
+ file.
</para>
+
<para>
If the server demands a client certificate,
<application>libpq</application>
will send the certificate stored in file
<filename>~/.postgresql/postgresql.crt</> within the user's home directory.
A matching private key file <filename>~/.postgresql/postgresql.key</>
- must also be present, and must not be world-readable, unless the secret
- key is stored in a hardware token, as specified by
- <envar>PGSSLKEY</envar>.
+ must also be present, unless the secret key for the certificate is stored
+ in a hardware token, as specified by <envar>PGSSLKEY</envar>.
(On Microsoft Windows these files are named
<filename>%APPDATA%\postgresql\postgresql.crt</filename> and
<filename>%APPDATA%\postgresql\postgresql.key</filename>.)
+ The private key file must not be world-readable.
</para>
<para>
should consist of a colon-separated engine name and key identifier. In
this case, <application>libpq</application> will load the specified
engine, i.e. the <productname>OpenSSL</> module which supports special
- hardware and reference the key with the specified identifier.
+ hardware, and reference the key with the specified identifier.
Identifiers are engine-specific. Typically, cryptography hardware tokens
do not reveal secret keys to the application. Instead, applications
delegate all cryptography operations which require the secret key to
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.377 2007/02/16 02:59:40 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.378 2007/02/16 16:37:29 tgl Exp $ -->
<chapter Id="runtime">
<title>Operating System Environment</title>
<para>
<productname>OpenSSL</productname> supports a wide range of ciphers
and authentication algorithms, whose strength varies significantly.
- You can restrict the list of ciphers which can be used to connect to
- your server using the <xref linkend="guc-ssl-ciphers"> parameter.
+ You can restrict the list of ciphers that can be used to connect to
+ your server by adjusting the <xref linkend="guc-ssl-ciphers"> parameter.
</para>
<para>
- <productname>PostgreSQL</productname> reads a system-wide
- <productname>OpenSSL</productname> configuration file. By default this
+ <productname>PostgreSQL</productname> reads the system-wide
+ <productname>OpenSSL</productname> configuration file. By default, this
file is named <filename>openssl.cnf</filename> and is located in the
- directory reported by <application>openssl</>:
- <programlisting>
- openssl version -d
- </programlisting>
- This default can be overriden by setting environment variable
- <envar>OPENSSL_CONF</envar> to the name of desired configuration file.
+ directory reported by <literal>openssl version -d</>.
+ This default can be overridden by setting environment variable
+ <envar>OPENSSL_CONF</envar> to the name of the desired configuration file.
</para>
<para>
projects / postgresql / commitdiff