From d40c7cd00422ac9a1284a1ecb5d6c0671c5ec6e4 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Wed, 7 Mar 2018 11:32:51 -0500 Subject: [PATCH] doc: Add more substructure to SSL documentation The SSL documentation text has gotten a bit long, so add some subsections and reorder for better flow. --- doc/src/sgml/runtime.sgml | 66 ++++++++++++++++++++++----------------- 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 4929d5529d..587b430527 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2158,6 +2158,9 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 enabled at build time (see ). + + Basic Setup + With SSL support compiled in, the PostgreSQL server can be started with @@ -2171,35 +2174,6 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 use of SSL for some or all connections. - - PostgreSQL reads the system-wide - OpenSSL configuration file. By default, this - file is named openssl.cnf and is located in the - directory reported by openssl version -d. - This default can be overridden by setting environment variable - OPENSSL_CONF to the name of the desired configuration file. - - - - OpenSSL supports a wide range of ciphers - and authentication algorithms, of varying strength. While a list of - ciphers can be specified in the OpenSSL - configuration file, you can specify ciphers specifically for use by - the database server by modifying in - postgresql.conf. - - - - - It is possible to have authentication without encryption overhead by - using NULL-SHA or NULL-MD5 ciphers. However, - a man-in-the-middle could read and pass communications between client - and server. Also, encryption overhead is minimal compared to the - overhead of authentication. For these reasons NULL ciphers are not - recommended. - - - To start in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to be @@ -2245,6 +2219,40 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 server.crt. Instead, clients must have the root certificate of the server's certificate chain. + + + + OpenSSL Configuration + + + PostgreSQL reads the system-wide + OpenSSL configuration file. By default, this + file is named openssl.cnf and is located in the + directory reported by openssl version -d. + This default can be overridden by setting environment variable + OPENSSL_CONF to the name of the desired configuration file. + + + + OpenSSL supports a wide range of ciphers + and authentication algorithms, of varying strength. While a list of + ciphers can be specified in the OpenSSL + configuration file, you can specify ciphers specifically for use by + the database server by modifying in + postgresql.conf. + + + + + It is possible to have authentication without encryption overhead by + using NULL-SHA or NULL-MD5 ciphers. However, + a man-in-the-middle could read and pass communications between client + and server. Also, encryption overhead is minimal compared to the + overhead of authentication. For these reasons NULL ciphers are not + recommended. + + + Using Client Certificates -- 2.40.0